Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in choosing between automation tools versus custom scripts or workflows for operational tasks. In production, this is about knowing exactly which AWS managed services simplify automation while reducing operational overhead and maintenance. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechNova Solutions manages a growing AWS environment with dozens of IAM users. Security policy mandates that any IAM user account idle for 90 days or more must have all associated access keys and passwords immediately disabled to reduce risk from unused credentials. As the Site Reliability Engineer, you have been tasked to automate this process using the MOST operationally efficient method, minimizing manual intervention and avoiding full user deletion.
The Requirement: #
Design an automated solution to identify IAM users inactive for 90 days or longer and disable their AWS access keys and passwords without deleting the users themselves.
The Options #
- A) Create an AWS Step Functions workflow to identify IAM users inactive for 90 days. Run an AWS Lambda function triggered by a scheduled Amazon EventBridge rule to automatically remove the AWS access keys and passwords for those IAM users.
- B) Configure an AWS Config rule to identify IAM users inactive for 90 days. Set up a weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for those IAM users.
- C) Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users inactive for 90 days. Automatically delete those IAM users.
- D) Set up an AWS Config managed rule that detects IAM users inactive for 90 days. Use an AWS Systems Manager Automation runbook to disable the AWS access keys for those IAM users.
Google adsense #
leave a comment:
Correct Answer #
D
Quick Insight: The SysOps Efficiency Imperative #
- Using AWS Config managed rules combined with Systems Manager Automation runbooks leverages fully managed, scalable, and event-driven operations.
- This avoids maintaining custom scripts or EC2 instances, reducing operational overhead.
- It also aligns with AWS best practices to disable rather than delete users, preserving auditability.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
- AWS Config managed rules, such as
iam-user-unused-credentials-check, provide continuous compliance monitoring without custom code, automatically identifying users with stale credentials beyond a configurable threshold (90 days here). - AWS Systems Manager Automation runbooks can be triggered on-demand or by events, running an automated procedure to disable access keys and passwords for the identified users.
- This solution uses fully managed AWS services, eliminating persistent EC2 instances, custom scripts, or complex workflows.
- Disabling keys instead of deleting users preserves audit trails and allows account reactivation if needed.
- This combination provides a scalable, repeatable, and operationally efficient infrastructure-as-code approach.
The Trap (Distractor Analysis): #
-
Why not A?
Step Functions + Lambda + EventBridge is a valid orchestrated approach but requires building/operating custom workflows and Lambda code, which adds maintenance complexity and operational overhead compared to managed AWS Config + Systems Manager native capabilities. -
Why not B?
Using an EC2 instance for batch disabling is operationally costly (patching, scaling, availability) and does not leverage serverless or managed automation services. -
Why not C?
Deleting IAM users automatically is risky and against the requirement – the goal is to disable keys/passwords without removing users.
The Technical Blueprint #
B) For Developer / SysOps (Code/CLI Snippet): #
Example CLI to disable an access key using AWS CLI, which a Systems Manager runbook could automate:
aws iam update-access-key --user-name <IAM_USER> --access-key-id <ACCESS_KEY_ID> --status Inactive
Example AWS Config managed rule setup from CLI:
aws config-service put-config-rule --config-rule file://iam-unused-credentials-rule.json
Example Systems Manager Automation document could call the above CLI in automation steps.
The Comparative Analysis (Mandatory for Associate/Pro/Specialty) #
| Option | Operational Overhead | Automation Level | Impact / Risk |
|---|---|---|---|
| A | Medium-High | Workflow + Lambda | Custom orchestration complexity |
| B | High | EC2-based batch | Requires managing servers & cron |
| C | Very High | Script on EC2 | Deletes users—high risk |
| D | Low | Managed Config + SSM | Fully automated, least overhead |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always pick AWS Config + Systems Manager Automation when you need to detect resource compliance and take immediate corrective operational actions.”
Real World #
“In a busy operations environment, running EC2 instances just to automate disabling keys creates unnecessary maintenance burdens. Managed services bring scalability, security, and resilience needed for production.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS SOA-C02 exam.