Practice AWS Config Questions Now

Start a timed practice session focusing on AWS Config topics from the SOA-C03 question bank.

SOA-C03 AWS Config Question Bank (30 Questions)

Browse all 30 practice questions covering AWS Config for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

Question 1Monitoring, Logging, and Remediation
A SysOps administrator uses AWS Config. What is the difference between AWS Config rules and AWS Config conformance packs?
AConfig rules evaluate individual resources; conformance packs group multiple rules and remediation actions into a deployable package
BConformance packs only work with SCPs
CConfig rules are only for EC2; conformance packs cover all services
DThere is no difference — they are synonymous
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 2Monitoring, Logging, and Remediation
A SysOps administrator wants to set up automated remediation when an AWS Config rule detects a non-compliant resource. What is the mechanism?
AConfig rule → EventBridge → Lambda
BConfig rule auto-remediation with an SSM Automation document
CConfig rule → SNS → human approval
DBoth A and B
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 3Monitoring, Logging & Remediation
A SysOps administrator receives an alert from AWS Config showing that an S3 bucket has public read access enabled. The administrator wants to set up automatic remediation so that any S3 bucket that becomes publicly accessible is immediately made private. Which solution meets this requirement?
ACreate an AWS Config rule using the `s3-bucket-public-read-prohibited` managed rule with automatic remediation linked to an SSM Automation document that calls `s3:PutPublicAccessBlock`.
BCreate an EventBridge rule that matches S3 bucket policy changes and triggers a Lambda function to remove public access.
CEnable Amazon Macie on the account and configure it to automatically remediate public buckets.
DConfigure S3 Block Public Access at the account level and remove all existing bucket policies.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 4Monitoring, Logging & Remediation
A company uses AWS Config to enforce compliance rules across 8 accounts in an AWS Organization. The security team wants to deploy a new Config rule (`restricted-ssh`) to all accounts and all active regions from a single location, without creating the rule manually in each account. Which feature should be used?
AAn AWS Config conformance pack deployed via CloudFormation StackSets.
BAn AWS Config organization rule created from the management account or delegated administrator, targeting all accounts.
CAn SCP that denies security group ingress rules allowing SSH from 0.0.0.0/0.
DAWS Security Hub with the CIS Benchmark standard enabled across all accounts.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 5Security & Compliance
A SysOps Administrator has an AWS Config rule that checks whether all EC2 instances have a specific tag (`CostCenter`). When an instance is found non-compliant, it should be automatically tagged with a default value of `Unknown` without manual intervention. Which approach achieves this?
AConfigure the AWS Config rule with automatic remediation using an SSM Automation document (`AWS-SetRequiredTags`) that tags non-compliant instances.
BCreate a CloudWatch Events rule that detects Config compliance state changes and invokes a Lambda function to apply the tag.
CUse an SCP to deny `ec2:RunInstances` unless the `CostCenter` tag is provided.
DConfigure AWS Config to terminate non-compliant instances and relaunch them with the correct tag.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 6Monitoring, Logging & Remediation
A company has 12 AWS accounts in an AWS Organization. The central security team wants to view AWS Config compliance data from all member accounts in a single dashboard without deploying Config aggregators manually in each account. Before creating the aggregator, what authorization step is required for cross-account aggregation within an Organization?
AEach member account must individually authorize the aggregator account by running `put-aggregation-authorization` in their account.
BNo individual authorization is required; when using AWS Organizations, the management account or delegated administrator can create an aggregator that automatically collects data from all organization accounts.
CThe aggregator account must assume an IAM role in each member account to pull Config data.
DAWS Config must be enabled in the management account first, and then Config data is replicated to all member accounts automatically.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 7Select All That ApplySecurity & Compliance
A company uses AWS Config conformance packs to evaluate compliance across all accounts in their AWS Organization. After deploying a conformance pack, several rules show "No results available" for some accounts. What is the MOST likely cause? (Select TWO.)
AAWS Config is not enabled in the member accounts where rules show no results
BThe conformance pack rules require specific AWS Config advanced query permissions that are not granted
CThe AWS Config service-linked role in the member accounts does not have permission to evaluate the resources defined in the conformance pack rules
DThe conformance pack was deployed at the organization level but did not include the specific member account IDs in its deployment targets
EAWS Config recorder is enabled but is not recording the resource types evaluated by the conformance pack rules
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 8Security & Compliance
A company deployed AWS Config rules to ensure that all EBS volumes are encrypted. A Config rule reports several volumes as non-compliant. The administrator wants to automatically remediate non-compliant volumes. What should the administrator configure?
AConfigure the Config rule with an automatic remediation action using an SSM Automation document that snapshots the unencrypted volume, creates an encrypted copy, and replaces the original
BCreate an EventBridge rule that triggers when Config detects non-compliant EBS volumes and invokes an SSM Run Command document to encrypt them in-place
CEnable EBS default encryption for the Region, which automatically encrypts all existing non-compliant volumes
DUse AWS Backup to create encrypted snapshots of non-compliant volumes on a schedule
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 9Security & Compliance
A SysOps administrator is tasked with deploying a standardized set of AWS Config rules across 50 accounts in an AWS Organization. The rules must evaluate S3 encryption, EBS encryption, and RDS encryption. What is the MOST efficient approach?
AManually deploy individual Config rules in each of the 50 accounts
BDeploy an organizational AWS Config conformance pack through the management account, which automatically provisions the rules across all member accounts in the organization
CCreate a CloudFormation StackSet that deploys the three Config rules to all 50 accounts
DUse AWS RAM to share Config rules from the management account to all member accounts
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 10Deployment, Provisioning & Automation
A SysOps administrator needs to deploy a standardized security baseline (AWS Config rules, CloudTrail, and GuardDuty) across 50 AWS accounts. The deployment must be centrally managed and automatically applied to new accounts joining the organization. Which approach is MOST suitable?
AUse CloudFormation StackSets with service-managed permissions and automatic deployment enabled, targeting the organization root
BCreate a CloudFormation nested stack and manually deploy it in each account
CUse AWS Control Tower Account Factory to apply the baseline
DWrite an AWS Lambda function triggered by the CreateAccountResult CloudTrail event to deploy templates
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 11Security & Compliance
A security team has configured AWS Audit Manager to collect evidence for a SOC 2 assessment. The assessment generates evidence from AWS Config rules, CloudTrail logs, and Security Hub findings. After one month, the team needs to generate an assessment report for the auditor. What should they do?
AExport the evidence from Audit Manager to an S3 bucket and compile a manual report
BGenerate an assessment report directly from the Audit Manager console, which assembles all collected evidence
CUse Amazon Athena to query the evidence stored in S3 and create a custom report
DRequest the report from AWS Artifact
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 12Monitoring, Logging, and Remediation
A SysOps administrator wants to understand which AWS Config rules are most frequently violated across the organization. Which feature provides this aggregated view?
AAWS Config Aggregator
BAWS Security Hub
CAWS Organizations compliance view
DCloudWatch Logs Insights
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 13Security and Compliance
A SysOps administrator uses AWS Config and finds many resources are NON_COMPLIANT for an encryption rule but the auto-remediation is not running. What should be checked?
AThe Config rule is correctly configured
BThe IAM role used by the auto-remediation SSM Automation document has the required permissions
CThe Config recorder is enabled
DBoth B and C
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 14Monitoring, Logging, and Remediation
A SysOps administrator uses AWS Config with multi-account aggregation. A specific member account shows as NOT_AUTHORIZED in the aggregator. What must be done?
AThe member account must authorize the aggregator account in its Config settings
BThe aggregator must provide IAM access keys to the member account
CThe member account must share its Config data via S3
DEnable AWS Organizations to automatically authorize all accounts
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 15Security and Compliance
A SysOps administrator uses AWS Config to manage compliance. Which Config component specifies rules and remediation actions as a deployable bundle?
AConfig aggregator
BConfig conformance pack
CConfig delivery channel
DConfig configuration recorder
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 16Monitoring, Logging & Remediation
A SysOps administrator needs to automatically remediate Amazon EC2 instances that have a specific required tag missing. The administrator wants to use AWS Config to detect non-compliant resources and automatically add the missing tag. Which combination of AWS Config features should the administrator use?
AUse the `required-tags` managed rule and configure automatic remediation with an SSM Automation document that calls the `ec2:CreateTags` API.
BUse a custom AWS Config rule backed by a Lambda function, and have the Lambda function directly tag the instance within the evaluation logic.
CUse the `required-tags` managed rule and configure an EventBridge rule that triggers an SNS notification to the operations team.
DUse AWS Config conformance packs with a custom remediation script embedded in the conformance pack template.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 17Monitoring, Logging & Remediation
A company needs to centrally view AWS Config compliance data from all accounts in their AWS Organization. A SysOps administrator must set up a single dashboard showing compliance status across all accounts and regions. Which AWS Config feature should the administrator use?
AAWS Config conformance packs deployed via StackSets to all accounts
BAWS Config aggregator configured in a central account with organization-wide authorization
CAWS Config rules replicated manually to each account with results sent to a central S3 bucket
DAWS Systems Manager Explorer with OpsData sources for each AWS Config rule
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 18Security & Compliance
A company needs to continuously verify that no EC2 security groups allow inbound SSH (port 22) from `0.0.0.0/0`, AND that all S3 buckets enforce SSL-only access. Non-compliant resources must be flagged in a dashboard. Which AWS Config managed rules should be deployed?
A`restricted-ssh` and `s3-bucket-ssl-requests-only`.
B`vpc-sg-open-only-to-authorized-ports` and `s3-bucket-public-read-prohibited`.
C`ec2-security-group-attached-to-eni` and `s3-bucket-server-side-encryption-enabled`.
D`incoming-ssh-disabled` and `s3-bucket-policy-grantee-check`.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 19Monitoring, Logging & Remediation
A SysOps Administrator must ensure AWS Config continuously records configuration changes for all supported resources in a single AWS account. The Config delivery channel must deliver configuration snapshots every 6 hours to an S3 bucket and send change notifications to an SNS topic. After setup, the administrator notices that Config is not recording changes. Which is the MOST likely cause?
AThe S3 bucket policy does not allow `config.amazonaws.com` to write objects.
BThe configuration recorder has not been started.
CThe delivery channel is set to deliver snapshots every 6 hours instead of continuously.
DThe SNS topic does not have a subscription.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 20Monitoring, Logging & Remediation
A SysOps Administrator configures a CloudWatch alarm that publishes to an SNS topic when the RDS `FreeStorageSpace` metric crosses a threshold. The team requires that the same alarm notification is sent simultaneously to an email distribution list, a PagerDuty HTTPS endpoint, and an AWS Lambda function that runs automated remediation. Which SNS configuration achieves this?
ACreate three separate SNS topics, each with one subscription type (email, HTTPS, Lambda), and configure the CloudWatch alarm to publish to all three topics.
BUse a single SNS topic with three subscriptions: one email subscription for the distribution list, one HTTPS subscription for PagerDuty, and one Lambda subscription for the remediation function.
CCreate one SNS topic with an email subscription and use EventBridge to route the alarm state-change event to PagerDuty and Lambda separately.
DCreate one SQS queue subscribed to the SNS topic and have PagerDuty and Lambda poll the queue.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 21Monitoring, Logging & Remediation
A SysOps Administrator receives frequent CloudWatch alarms from SSM OpsCenter about patch compliance failures across 50 EC2 instances. The team wants OpsCenter to automatically run a remediation runbook that re-applies the missing patches whenever an OpsItem is created for this alarm. Which configuration achieves this?
ACreate an EventBridge rule that matches OpsItem creation events with the source `aws.ssm` and target an SSM Automation document `AWS-RunPatchBaseline`.
BConfigure the OpsItem to include an associated SSM Automation runbook. When an operator approves the OpsItem, OpsCenter executes the runbook automatically.
CUse AWS Config auto-remediation with the `AWS-RunPatchBaseline` Automation document triggered by the `ec2-managedinstance-patch-compliance-status-check` Config rule.
DCreate a CloudWatch alarm action that directly invokes an SSM Run Command to apply patches.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 22Deployment, Provisioning & Automation
A SysOps Administrator needs to deploy the same CloudFormation stack across 15 accounts in an AWS Organization. The stack provisions a Config rule and an S3 bucket. The administrator wants a single deployment action that targets all accounts without logging into each one. Which approach should be used?
ACloudFormation StackSets with service-managed permissions, deploying to the organization root or specific OUs.
BA CodePipeline that runs 15 parallel `aws cloudformation deploy` commands, one per account.
CShare the template via Service Catalog and require each account to launch the product manually.
DCreate an SSM Automation document that assumes a role in each account and creates the stack.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 23Select All That ApplySecurity & Compliance
A company has enabled AWS Config managed rules to establish a security baseline. Which of the following are valid AWS Config managed rules for common security checks? (Select TWO.)
A`restricted-ssh` — checks that security groups do not allow unrestricted SSH access from 0.0.0.0/0.
B`s3-bucket-public-read-prohibited` — checks that S3 buckets do not allow public read access.
C`iam-user-mfa-required` — forces MFA on all IAM user API calls.
D`ec2-instance-antivirus-enabled` — checks that antivirus software is installed on EC2 instances.
E`rds-instance-encrypted` — checks that RDS instances have encryption enabled, but this is a custom rule, not a managed rule.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 24Monitoring, Logging & Remediation
A company has configured AWS Config to evaluate resources against compliance rules. The administrator needs to be notified immediately when an Amazon S3 bucket is made public. Which approach meets this requirement with the LEAST operational overhead?
ACreate an AWS Config rule using the `s3-bucket-public-read-prohibited` managed rule with an Amazon SNS topic for notifications
BWrite a Lambda function that checks S3 bucket policies every 5 minutes and sends email via Amazon SES
CUse CloudWatch Events to monitor S3 API calls and trigger an SNS notification
DEnable S3 server access logging and parse the logs using Amazon Athena
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 25Monitoring, Logging, and Remediation
A SysOps administrator wants to detect when an S3 bucket becomes publicly accessible. Which service detects this configuration change and triggers remediation?
ACloudTrail
BAWS Config rule (s3-bucket-public-read-prohibited) with auto-remediation
CCloudWatch metric filter
DAWS Security Hub standard check only
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 26Security and Compliance
A SysOps administrator uses AWS Organizations. They want to see a consolidated compliance view of all Config rule evaluations across all accounts. Which service provides this?
AAWS Security Hub
BAWS Config Aggregator
CAWS Trusted Advisor
DCloudFormation StackSets compliance view
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 27Monitoring, Logging, and Remediation
A SysOps administrator wants to see a unified operational view of all CloudWatch alarms, Config rule violations, and Security Hub findings for an account. Which tool provides this?
AAWS Health Dashboard
BAWS Systems Manager Explorer
CAWS Security Hub
DAmazon DevOps Guru
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 28Deployment, Provisioning, and Automation
A SysOps administrator uses AWS Config and wants to automatically remediate S3 buckets that have server-side encryption disabled. Which SSM Automation document is used?
AAWS-EnableS3BucketEncryption
BAWS-ConfigureS3BucketVersioning
CAWS-SetS3BucketPublicAccessBlock
DCustom Lambda function required
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 29Monitoring, Logging, and Remediation
A SysOps administrator receives a CloudWatch alarm indicating an RDS instance has less than 1 GB of free storage. What automated remediation can be configured?
AEnable RDS Storage Auto Scaling and set the maximum storage threshold
BCloudWatch alarm → SNS → Lambda → rds:ModifyDBInstance to increase storage
CBoth A and B
DCreate a larger RDS instance and migrate data
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 30Monitoring, Logging, and Remediation
A SysOps administrator wants to receive a notification when AWS Config detects a non-compliant resource. Which Config feature provides this notification?
AConfig SNS notification topic configured on the delivery channel
BEventBridge rule matching Config compliance change events
CCloudWatch alarm on Config metrics
DBoth A and B
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz

Key AWS Config Concepts for SOA-C03

configaws configconfig ruleconformance packremediationaggregatorconfiguration recorder

SOA-C03 AWS Config Exam Tips

AWS Config questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: config, aws config, config rule, conformance pack, remediation, aggregator.

What SOA-C03 Expects

Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
AWS Config scenarios for SOA-C03 are frequently mapped to Domain 1 (22%), Domain 4 (16%), so read the objective carefully before picking controls or architecture.
Expect multi-topic scenarios where AWS Config interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value AWS Config Concepts

Know the core AWS Config building blocks cold: config, aws config, config rule, conformance pack.
Review the edge-case features and limits for remediation, aggregator; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how AWS Config pairs with CloudTrail, Systems Manager, Security & Compliance in real deployment patterns.
For SOA-C03, explain why the chosen AWS Config design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

Watch for answers that deploy quickly but are hard to monitor or recover.
Questions in Monitoring, Logging, Analysis, Remediation, and Performance Optimization often include distractors that look correct for AWS Config but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two AWS Config implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) outcomes for SOA-C03?
Can you explain security and access boundaries for AWS Config without relying on default-open assumptions?
Can you describe how AWS Config integrates with CloudTrail and Systems Manager during failure, scaling, and monitoring events?

Exam Domains Covering AWS Config

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 4Security and Compliance16%

Related Resources

🎯 Free SOA-C03 Mock Exam CloudTrail Questions Systems Manager Questions Security & Compliance Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub 30-Day Study Plan Full Practice Exam

📋 AWS Config - SOA-C03 Practice Questions