Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in how to operationally enforce configuration compliance across a fleet without excessive manual overhead or fragile scheduled scripts. In production, this is about knowing exactly which AWS managed services enable continuous compliance monitoring combined with automated, auditable remediation workflows. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
MetaTech Solutions is a rapidly growing SaaS provider that runs hundreds of Amazon EC2 instances across multiple accounts. The company has implemented a strict policy requiring that every EC2 instance must include a set of specific tags for accounting and environment metadata. Any EC2 instance launched or modified without these required tags must be automatically terminated to prevent unauthorized resource use.
The Requirement: #
Determine the most operationally efficient solution to continuously enforce compliance and automatically terminate EC2 instances missing the mandatory tags.
The Options #
- A) Create an Amazon EventBridge rule that captures all EC2 instance state changes and triggers a Lambda function. The Lambda function then validates instance tags and terminates any noncompliant instances.
- B) Develop an IAM policy that enforces tagging on EC2 instances and automatically terminates instances not meeting tag requirements.
- C) Schedule a Lambda function invocation every 5 minutes to scan all EC2 instances for missing tags and terminate noncompliant instances.
- D) Implement an AWS Config managed rule that checks whether instances have the required tags. If instances are noncompliant, configure AWS Systems Manager Automation to terminate the offending instances.
Google adsense #
leave a comment:
Correct Answer #
D.
Quick Insight: The SysOps Compliance Imperative #
- Continuous compliance in AWS often requires combining AWS Config’s managed rules for real-time evaluation with Systems Manager Automation documents for operational remediation. This approach avoids polling inefficiencies and manual scripting overhead.
- Option D leverages fully managed services built for governance and remediation, whereas others rely on less scalable or unsupported enforcement methods.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
AWS Config is designed to continuously monitor resource configurations and evaluate compliance against predefined rules, such as mandatory tag presence. Using AWS Config managed rules to detect noncompliant EC2 instances means near real-time awareness without polling or custom code overhead.
Once AWS Config flags an instance as noncompliant, you can trigger AWS Systems Manager Automation documents to remediate the issue—here, by terminating the orphaned instance. This separation of duties (monitoring vs. automated remediation) follows best practices for reliability, security, and auditability.
This approach scales well across accounts, avoids throttling from extensive API calls, and integrates with AWS native monitoring and audit tools like CloudTrail and Config history.
The Trap (Distractor Analysis): #
- Why not A? EventBridge + Lambda for every EC2 instance state change can become costly and complex. It requires writing and maintaining custom remediation code and does not leverage built-in compliance frameworks. Also, it is reactive only after state changes, not continuous config evaluation.
- Why not B? IAM policies cannot enforce tagging on existing or running instances or auto-terminate them. IAM is about permission controls, not resource lifecycle enforcement.
- Why not C? Polling with a scheduled Lambda every 5 minutes is inefficient, costly, and risks missing state changes in between runs. This solution also lacks event-driven responsiveness and native compliance visualization.
The Technical Blueprint #
# Example AWS CLI command to create AWS Config rule for required tags
aws configservice put-config-rule --config-rule '
{
"ConfigRuleName": "required-tags-check",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "REQUIRED_TAGS"
},
"InputParameters": "{\"tag1Key\":\"env\",\"tag2Key\":\"owner\"}"
}'
// Example snippet of Systems Manager Automation document to terminate instance
{
"description": "Terminate noncompliant EC2 instance",
"mainSteps": [
{
"name": "terminateInstance",
"action": "aws:terminateInstance",
"inputs": {
"InstanceId": "{{EC2InstanceId}}"
}
}
]
}
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact/Effectiveness |
|---|---|---|---|
| A | Medium to High | Reactive Event-driven | Custom code; potential cost and complexity |
| B | None (Not applicable) | None | IAM can’t enforce tags or force termination |
| C | High (Poll-based Lambda) | Scheduled Automation | Inefficient; risk of detection delays |
| D | Low (Managed Services) | Continuous Compliance | Highly scalable and AWS-native remediation |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWS Config when you see continuous compliance and remediation of resource configurations.
Real World #
While Lambda scripts and EventBridge rules work in small environments or one-offs, enterprise-grade solutions use AWS Config combined with Systems Manager Automation for easier management, scalable compliance, and deep audit trails.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.