Practice Security & Compliance Questions Now

Start a timed practice session focusing on AWS Security and Compliance Operations topics from the SOA-C03 question bank.

Start SOA-C03 Practice Quiz →

SOA-C03 Security & Compliance Question Bank (25 Questions)

Browse all 25 practice questions covering AWS Security and Compliance Operations for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

Question 1Security & Compliance
A SysOps Administrator has enabled AWS Security Hub across all accounts in an Organization. Management wants to track compliance against the CIS AWS Foundations Benchmark and the AWS Foundational Security Best Practices standard. A third-party auditor also requires PCI DSS compliance checks. How should Security Hub be configured?
AEnable all three standards — CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, and PCI DSS — in Security Hub for each account using the delegated administrator.
BSecurity Hub only supports one standard at a time per account.
CUse AWS Config conformance packs instead; Security Hub does not support PCI DSS.
DEnable CIS and FSBP in Security Hub and use a separate third-party tool for PCI DSS.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 2Security & Compliance
A company must demonstrate compliance with the PCI DSS framework to auditors. The security team wants to continuously collect evidence from AWS services and map findings to PCI DSS controls. Which AWS service should the SysOps administrator configure?
AAWS Security Hub with the PCI DSS standard enabled
BAWS Audit Manager with the PCI DSS framework
CAmazon Inspector with PCI DSS compliance scanning
DAWS Config conformance packs for PCI DSS
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 3Security & Compliance
A security team has configured AWS Audit Manager to collect evidence for a SOC 2 assessment. The assessment generates evidence from AWS Config rules, CloudTrail logs, and Security Hub findings. After one month, the team needs to generate an assessment report for the auditor. What should they do?
AExport the evidence from Audit Manager to an S3 bucket and compile a manual report
BGenerate an assessment report directly from the Audit Manager console, which assembles all collected evidence
CUse Amazon Athena to query the evidence stored in S3 and create a custom report
DRequest the report from AWS Artifact
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 4Security & Compliance
A company uses AWS Security Hub across 5 accounts. When Security Hub detects a critical GuardDuty finding (e.g., cryptocurrency mining on an EC2 instance), the security team wants to automatically isolate the affected instance by replacing its security group with an empty one. Which integration enables this automated response?
AConfigure Security Hub to directly invoke an SSM Automation document when a critical finding is generated.
BCreate an EventBridge rule that matches Security Hub findings with critical severity, targeting a Lambda function that replaces the instance's security group.
CEnable AWS Config auto-remediation with a custom SSM document for GuardDuty findings.
DConfigure GuardDuty to directly modify security groups when a cryptocurrency mining finding is detected.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 5Security and Compliance
A SysOps administrator uses AWS Security Hub. Which Security Hub standard checks for CIS AWS Foundations compliance?
AAWS Foundational Security Best Practices
BCIS AWS Foundations Benchmark standard
CPCI DSS standard
DISO 27001 standard
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 6Security & Compliance
A compliance officer requests evidence that the company's AWS infrastructure meets SOC 2 and ISO 27001 standards. The administrator needs to obtain AWS's compliance reports and attestations. Which AWS service provides this?
AAWS Security Hub compliance standards dashboard
BAWS Artifact, which provides on-demand access to AWS compliance reports and agreements
CAWS Config conformance packs for SOC 2 and ISO 27001
DAWS Audit Manager with prebuilt assessment frameworks
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 7Monitoring, Logging & Remediation
A company uses AWS Config to enforce compliance rules across 8 accounts in an AWS Organization. The security team wants to deploy a new Config rule (`restricted-ssh`) to all accounts and all active regions from a single location, without creating the rule manually in each account. Which feature should be used?
AAn AWS Config conformance pack deployed via CloudFormation StackSets.
BAn AWS Config organization rule created from the management account or delegated administrator, targeting all accounts.
CAn SCP that denies security group ingress rules allowing SSH from 0.0.0.0/0.
DAWS Security Hub with the CIS Benchmark standard enabled across all accounts.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 8Select All That ApplySecurity & Compliance
Amazon Inspector identifies a finding indicating that an EC2 instance has a network path that allows unrestricted inbound access from the internet on port 3389 (RDP), even though the application does not require RDP access. The security team wants to remediate this. Which actions should be taken? (Select TWO.)
ARemove the inbound rule allowing port 3389 from `0.0.0.0/0` in the instance's security group.
BCheck the Network ACL for the instance's subnet and ensure it does not allow inbound traffic on port 3389 from `0.0.0.0/0`.
CDisable Amazon Inspector network reachability analysis to suppress the finding.
DMigrate the instance to a private subnet without an internet gateway.
EEnable AWS Shield Advanced to block RDP brute-force attacks.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 9Security & Compliance
A SysOps Administrator has enabled Amazon GuardDuty across the organization. The security team receives a large number of findings for expected port scanning activity from an approved vulnerability scanner running in a specific account. How should the administrator suppress these expected findings without disabling GuardDuty?
ARemove the vulnerability scanner's account from the GuardDuty organization.
BCreate a GuardDuty suppression rule with a filter that matches the finding type and the scanner's IP address or instance ID, so matching findings are auto-archived.
CAdd the scanner's IP address to the GuardDuty trusted IP list.
DDisable the specific finding type across the organization.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 10Monitoring, Logging & Remediation
A company has 12 AWS accounts in an AWS Organization. The central security team wants to view AWS Config compliance data from all member accounts in a single dashboard without deploying Config aggregators manually in each account. Before creating the aggregator, what authorization step is required for cross-account aggregation within an Organization?
AEach member account must individually authorize the aggregator account by running `put-aggregation-authorization` in their account.
BNo individual authorization is required; when using AWS Organizations, the management account or delegated administrator can create an aggregator that automatically collects data from all organization accounts.
CThe aggregator account must assume an IAM role in each member account to pull Config data.
DAWS Config must be enabled in the management account first, and then Config data is replicated to all member accounts automatically.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 11Security & Compliance
A company enables Amazon GuardDuty across all Organization accounts. The security team wants to be alerted when GuardDuty detects credential exfiltration or communication with known command-and-control (C2) servers. Which GuardDuty capability provides detection based on known malicious IP addresses and domains?
AGuardDuty Malware Protection, which scans EBS volumes.
BGuardDuty threat intelligence feeds, which include AWS-curated threat lists and optional third-party feeds. Findings based on threat intelligence indicate communication with known malicious IPs or domains.
CGuardDuty S3 Protection, which monitors S3 data plane events.
DGuardDuty Runtime Monitoring, which detects suspicious OS-level activity.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 12Select All That ApplySecurity & Compliance
A company's security team needs to respond to AWS Security Hub critical findings by automatically isolating affected EC2 instances. (Select TWO.)
ACreate a Security Hub custom action that sends the finding to EventBridge when manually triggered by an analyst
BCreate an EventBridge rule matching Security Hub findings with severity "CRITICAL" that triggers a Lambda function to replace the instance's security group with a forensics isolation group
CConfigure Security Hub to directly invoke a Lambda function when a critical finding is generated
DUse AWS Config auto-remediation to change the security group of non-compliant EC2 instances
EConfigure GuardDuty to automatically quarantine instances, since Security Hub aggregates GuardDuty findings
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 13Security & Compliance
A company uses AWS Security Hub with the AWS Foundational Security Best Practices standard enabled. The administrator receives a finding that Amazon RDS instances are not encrypted. The company decides this finding is not applicable because the RDS instances only store non-sensitive test data. How should the administrator handle this?
ASuppress the finding using a Security Hub suppression rule that matches the specific control ID and resource tags indicating test resources
BDisable the entire AWS Foundational Security Best Practices standard to stop receiving the finding
CDelete the finding from the Security Hub console
DCreate an SCP to allow unencrypted RDS instances in the test account
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 14Deployment, Provisioning & Automation
A SysOps administrator needs to deploy a standardized security baseline (AWS Config rules, CloudTrail, and GuardDuty) across 50 AWS accounts. The deployment must be centrally managed and automatically applied to new accounts joining the organization. Which approach is MOST suitable?
AUse CloudFormation StackSets with service-managed permissions and automatic deployment enabled, targeting the organization root
BCreate a CloudFormation nested stack and manually deploy it in each account
CUse AWS Control Tower Account Factory to apply the baseline
DWrite an AWS Lambda function triggered by the CreateAccountResult CloudTrail event to deploy templates
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 15Security and Compliance
A SysOps administrator uses AWS Security Hub. They notice a CIS AWS Foundations Benchmark finding for 'root account usage'. Where does this finding originate?
ASecurity Hub generates it independently
BAWS Config evaluates the root-account-mfa-enabled rule; Security Hub aggregates Config findings
CGuardDuty detects root account usage
DCloudTrail generates the finding directly in Security Hub
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 16Security and Compliance
A SysOps administrator uses AWS Security Hub and wants to suppress false-positive findings for a specific EC2 instance that has a known-safe security group configuration. What should be done?
ADelete the finding from Security Hub
BCreate a suppression rule or suppress the specific finding with a note
CDisable the Security Hub standard for that check
DExclude the EC2 instance from Config evaluation
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 17Monitoring, Logging, and Remediation
A SysOps administrator wants to see a unified operational view of all CloudWatch alarms, Config rule violations, and Security Hub findings for an account. Which tool provides this?
AAWS Health Dashboard
BAWS Systems Manager Explorer
CAWS Security Hub
DAmazon DevOps Guru
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 18Deployment, Provisioning & Automation
An auditor requires proof that all managed EC2 instances have the latest SSM Agent version and the required antivirus software installed. Which Systems Manager feature provides a unified compliance view against these requirements?
ASystems Manager Inventory
BSystems Manager Compliance
CSystems Manager Patch Manager
DSystems Manager Session Manager audit logs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 19Security & Compliance
A company needs to continuously assess their AWS environment against the SOC 2 compliance framework and generate audit-ready reports for their external auditors. Which AWS service is purpose-built for this use case?
AAWS Security Hub with the SOC 2 standard enabled.
BAWS Audit Manager with the SOC 2 framework, which automatically collects evidence from AWS services.
CAWS Config with a conformance pack mapped to SOC 2 controls.
DAWS Artifact, which provides on-demand access to AWS's own SOC 2 compliance reports.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 20Security & Compliance
An organization with 30 AWS accounts wants to ensure that AWS WAF Web ACLs with specific rules are applied to all ALBs and CloudFront distributions across every account. The security team should manage this centrally. Which AWS service provides this capability?
AAWS Organizations SCPs to enforce WAF attachment on all ALBs.
BAWS Firewall Manager, which allows the security team to create WAF policies that are automatically applied across all member accounts in the Organization.
CAWS CloudFormation StackSets to deploy WAF Web ACLs to all accounts.
DAWS Config rules to detect ALBs without WAF associations and send alerts.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 21Reliability & Business Continuity
A SysOps Administrator must demonstrate that all backup jobs across 10 AWS accounts conform to a corporate backup policy that requires daily backups with 30-day retention. The auditor requires a centralized compliance report. Which AWS service provides this capability?
AAWS Backup Audit Manager, which allows creating audit frameworks with compliance controls and generates compliance reports across accounts using AWS Organizations.
BAWS Config rules that evaluate backup frequencies and retention policies, aggregated with a Config Aggregator.
CAWS CloudTrail event history filtered for `CreateBackupVault` and `StartBackupJob` API calls.
DAmazon S3 Storage Lens with a custom metric for backup objects.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 22Security & Compliance
A company stores audit logs in an S3 bucket and must ensure that no object can be deleted or overwritten for 7 years to meet regulatory compliance. The protection must prevent even the root account from deleting objects. How should the administrator configure this?
AEnable S3 Object Lock in compliance mode with a retention period of 7 years on the bucket
BEnable S3 Object Lock in governance mode with a retention period of 7 years on the bucket
CApply an S3 bucket policy denying s3:DeleteObject and s3:PutObject for all principals
DEnable S3 versioning and create a lifecycle rule that transitions objects to Glacier for 7 years
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 23Security & Compliance
An organization requires cross-account access from a security audit account (Account S) to read CloudTrail logs stored in a centralized S3 bucket in the logging account (Account L). The security team in Account S must not be able to modify or delete any objects. What is the MOST secure way to configure this?
ACreate an IAM role in Account L with a policy allowing only `s3:GetObject` and `s3:ListBucket` on the log bucket, with a trust policy allowing Account S to assume the role, and add a condition restricting the source IP to the security team's VPN range
BCreate a bucket policy on the log bucket granting `s3:GetObject` directly to the IAM users in Account S
CEnable public access on the bucket with a presigned URL generator that creates short-lived read-only URLs
DReplicate the CloudTrail logs to an S3 bucket in Account S using cross-region replication
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 24Security and Compliance
A SysOps administrator wants to audit all changes to security groups in an account. Which service provides this audit trail?
AVPC Flow Logs
BCloudTrail — logs all ec2:AuthorizeSecurityGroupIngress/Egress and ec2:RevokeSecurityGroup* API calls
CAWS Config — resource configuration timeline
DBoth B and C
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 25Monitoring, Logging, and Remediation
A SysOps administrator wants to continuously audit the configuration of all EC2 instances in an account against a security baseline. Which service provides continuous configuration recording?
AAmazon Inspector — one-time assessment
BAWS Config — continuous recording of resource configurations
CCloudTrail — API call recording
DSystems Manager Inventory — periodic scan
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz

Key Security & Compliance Concepts for SOA-C03

securitycomplianceguarddutysecurity hubinspectorwafshieldauditevidence

SOA-C03 Security & Compliance Exam Tips

AWS Security and Compliance Operations questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: security, compliance, guardduty, security hub, inspector, waf.

What SOA-C03 Expects

Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
Security & Compliance scenarios for SOA-C03 are frequently mapped to Domain 4 (16%), so read the objective carefully before picking controls or architecture.
Expect multi-topic scenarios where Security & Compliance interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Security & Compliance Concepts

Know the core Security & Compliance building blocks cold: security, compliance, guardduty, security hub.
Review the edge-case features and limits for inspector, waf; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how Security & Compliance pairs with IAM, KMS, AWS Config, CloudTrail in real deployment patterns.
For SOA-C03, explain why the chosen Security & Compliance design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

Watch for answers that deploy quickly but are hard to monitor or recover.
Questions in Security and Compliance often include distractors that look correct for Security & Compliance but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two Security & Compliance implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Security and Compliance (16%) outcomes for SOA-C03?
Can you explain security and access boundaries for Security & Compliance without relying on default-open assumptions?
Can you describe how Security & Compliance integrates with IAM and KMS during failure, scaling, and monitoring events?

Exam Domains Covering Security & Compliance

Domain 4Security and Compliance16%

Related Resources

🎯 Free SOA-C03 Mock Exam IAM Questions KMS Questions AWS Config Questions CloudTrail Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub 30-Day Study Plan Full Practice Exam

🛡️ AWS Security and Compliance Operations - SOA-C03 Practice Questions