Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer.
For SOA-C02 candidates, the confusion often lies in how to implement automatic remediation without writing custom Lambda code. In production, this is about knowing which AWS-managed services can automatically detect and fix compliance drift with minimal operational overhead. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
GreenFin Consulting runs a secure financial data platform on AWS. They have enabled AWS CloudTrail in their AWS account to record all API activity. Due to strict audit requirements, if CloudTrail ever gets disabled or misconfigured, it must be automatically re-enabled immediately without any manual intervention.
The SRE team wants to implement an automated remediation solution that requires no custom code (no writing Lambda functions) to ensure CloudTrail remains enabled continuously and compliant.
The Requirement: #
Implement a fully managed automation solution that detects CloudTrail being disabled or altered, and automatically re-enables it — all without writing custom code.
The Options #
-
A) Enroll the AWS account in AWS Organizations and enable CloudTrail centrally from the master (management) account.
-
B) Create an AWS Config rule that triggers on CloudTrail configuration changes and attaches the AWS-managed remediation action
AWSConfigureCloudTrailLoggingto automatically fix any issues. -
C) Create an AWS Config rule that triggers on CloudTrail configuration changes and invoke a custom AWS Lambda function to re-enable CloudTrail.
-
D) Create an EventBridge scheduled rule that runs every hour invoking an AWS Systems Manager Automation document to re-enable CloudTrail.
Google adsense #
leave a comment:
Correct Answer #
B
Quick Insight: The SysOps Automation Imperative #
- AWS Config rules can continuously monitor resource configurations.
- AWS provides managed remediation actions for common controls, including
AWSConfigureCloudTrailLogging.- This allows detection + auto-remediation without custom code, fitting the requirement perfectly.
- Alternatives involving Lambda require custom code, ruled out here.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B
The Winning Logic #
- AWS Config continuously monitors the state of AWS resources, such as whether CloudTrail is enabled.
- The managed Config rule
cloudtrail-enabledtriggers on any configuration changes that disable or modify CloudTrail. - AWS provides a managed remediation action called
AWSConfigureCloudTrailLoggingthat does the heavy lifting of re-enabling CloudTrail without requiring you to author Lambda functions. - This fully managed detection + remediation ensures compliance is maintained without custom code or manual effort.
- The solution works in near real-time and fits the requirement for automatic CloudTrail re-enablement without writing custom code.
The Trap (Distractor Analysis) #
- Option A: While Organizations allow centralized CloudTrail management, it does not automatically detect and fix a disabled trail in member accounts; also, this adds complexity and organizational dependence.
- Option C: This requires writing and maintaining a Lambda function, which violates the “no custom code” rule.
- Option D: Scheduled automation via EventBridge + Systems Manager Automation runs only on schedule (hourly), not event-driven real-time; also more complex than managed remediation and may add operational overhead.
The Technical Blueprint #
# Example of creating the AWS Config rule with remediation via CLI
aws configservice put-config-rule --config-rule file://cloudtrail-rule.json
# cloudtrail-rule.json (simplified)
{
"ConfigRuleName": "cloudtrail-enabled",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "CLOUD_TRAIL_ENABLED"
}
}
# Associate the managed remediation action
aws configservice put-remediation-configurations --remediation-configurations file://remediation-config.json
# remediation-config.json (simplified)
[
{
"ConfigRuleName": "cloudtrail-enabled",
"TargetType": "SSM_DOCUMENT",
"TargetId": "AWSConfigureCloudTrailLogging",
"Automatic": true
}
]
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | Low | Manual detection only | No automatic re-enable; centralized only |
| B | Minimal | Fully event-driven auto | Immediate remediation without custom code |
| C | High | Event-driven auto | Requires writing, deploying Lambda code |
| D | Medium | Scheduled automation | Delayed remediation with potential gaps |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWS Config with managed remediation when you see “automatic remediation without custom code”.
Real World #
Sometimes System Manager runbooks (Option D) are chosen for complex, multi-step tasks, but for simple compliance drift like CloudTrail enablement, managed Config remediation is lighter and more reliable.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.