These questions cover monitoring, security automation, and configuration management — the domains where SOA-C02 goes deeper than the Solutions Architect exam and tests operational rather than design knowledge.
Question 1
A SysOps team needs to automate monthly OS patching across 500 EC2 instances with minimal custom scripting. Which AWS service handles this?
- A) AWS CodeDeploy with a patch deployment group
- B) AWS Systems Manager Patch Manager with a maintenance window
- C) AWS OpsWorks with a Chef or Puppet recipe
- D) AWS Elastic Beanstalk with managed platform updates
Answer: B — AWS Systems Manager Patch Manager
Patch Manager automates OS patching across EC2 instances (and on-premises servers with the SSM agent). You define patch baselines (which patches to approve), create a maintenance window with the schedule, and assign a patch group to target specific instances. No custom scripts required.
How it works:
- Instances join a patch group via a tag (
Patch Group: Production) - Patch baseline defines approved patches (by severity, classification, or specific IDs)
- Maintenance window runs the
AWS-RunPatchBaselinedocument on the schedule - Compliance results appear in the Systems Manager console and Security Hub
CodeDeploy is for application deployments, not OS patching. OpsWorks and Elastic Beanstalk serve different purposes and require significantly more setup for patching at scale.
</details>Question 2
A security team wants an automated response within minutes whenever GuardDuty detects a high-severity finding. Which architecture achieves this with the least custom code?
- A) Configure a CloudWatch alarm on GuardDuty finding counts to trigger an SNS notification
- B) Use Amazon EventBridge to capture GuardDuty findings and invoke a Lambda function or SNS topic
- C) Export GuardDuty findings to S3 and process them with an S3 event notification
- D) Configure GuardDuty to email findings directly to the security team
Answer: B — EventBridge with Lambda or SNS
GuardDuty publishes findings as events to Amazon EventBridge automatically. An EventBridge rule matches on finding type and severity, then routes to a target — Lambda for automated remediation (isolating an instance, revoking IAM credentials) or SNS for immediate human notification.
The event-driven automation pattern SOA-C02 tests constantly:
GuardDuty → EventBridge rule → Lambda (remediate) + SNS (notify)
This pattern applies to many AWS security services: Security Hub, Config, Inspector, Macie — they all emit events to EventBridge.
CloudWatch alarms monitor numeric metrics, not event content. Exporting to S3 adds latency. GuardDuty doesn't natively send emails.
</details>Question 3
A compliance requirement states all new EBS volumes in an AWS account must be encrypted. What is the most operationally simple way to enforce this?
- A) Enable EBS encryption by default at the account level in the EC2 console
- B) Create an IAM policy that denies
ec2:CreateVolumefor all users - C) Use AWS Config with a custom rule to detect and delete unencrypted volumes
- D) Run a Lambda function daily that checks for unencrypted volumes
Answer: A — Enable EBS encryption by default
AWS allows you to enable EBS encryption by default at the account level, per region. Once enabled, all new EBS volumes — including root volumes on EC2 instances, snapshots, and volumes created from unencrypted snapshots — are automatically encrypted using the AWS-managed KMS key or a CMK you specify.
This is a single toggle in EC2 console settings (or via the API) and requires no IAM policy changes, Lambda functions, or Config rules.
EC2 Console → Settings → EBS encryption → Enable
Denying ec2:CreateVolume entirely breaks all volume creation. Config rules and Lambda polling are reactive (detect after the fact) rather than preventive.
Key Takeaways
- Patch Manager + maintenance windows + patch baselines = automated patching with no custom scripts needed
- GuardDuty → EventBridge → Lambda/SNS is the standard automated security response pattern
- EBS encryption by default is a single account-level setting — the simplest way to enforce encryption on all new volumes