The Jeff’s Note (Contextual Hook) #
Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in knowing which audit documents AWS provides directly versus what you must produce yourself. In production, this is about knowing exactly how to efficiently provide compliance evidence without exposing full infrastructure logs or granting excessive access. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
FinTech Solutions Inc., a financial services startup, is undergoing an external audit for PCI DSS compliance. Their entire infrastructure is hosted on AWS. The SRE team is tasked with providing evidence of PCI DSS compliance for the AWS-managed parts of their environment to the audit firm.
The Requirement: #
Identify the appropriate steps the SRE team should take to supply auditors with the necessary PCI DSS compliance documentation regarding AWS infrastructure.
The Options #
- A) Download the applicable audit reports from the AWS Artifact portal and provide these to the auditors.
- B) Download complete AWS CloudTrail log files and provide these logs to the auditors.
- C) Download complete AWS CloudWatch logs and provide these logs to the auditors.
- D) Provide the auditors with full administrative access to the production AWS account so they can verify compliance firsthand.
Google adsense #
leave a comment:
Correct Answer #
A.
Quick Insight: The SysOps Imperative #
- The AWS Shared Responsibility Model means AWS provides compliance reports for their infrastructure (accessible via AWS Artifact), not your environment logs.
- CloudTrail or CloudWatch logs contain operational events but aren’t official compliance evidence from AWS.
- Giving auditors administrative access to production accounts is a considerable security risk and rarely allowed.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option A
The Winning Logic #
AWS Artifact is the official auditing and compliance portal from AWS, providing access to AWS’s third-party security reports, including PCI DSS attestation of compliance reports. These reports satisfy auditors because they verify how AWS secures its infrastructure in alignment with PCI DSS requirements.
- CloudTrail logs record API calls but are your operational audit trail, not evidence that AWS infrastructure meets compliance.
- CloudWatch logs monitor performance and events, but similarly don’t prove AWS-level compliance.
- Providing auditors with admin access to your live production environment risks security, conflicts with least privilege, and is not a recommended practice.
The Trap (Distractor Analysis): #
- Why not B? Downloading full CloudTrail logs is operationally heavy and not standard compliance evidence for AWS infrastructure. It’s your responsibility to retain logs for your own auditing, not to prove AWS compliance.
- Why not C? CloudWatch logs do not demonstrate compliance coverage and can be voluminous; they do not replace formal audit reports.
- Why not D? Granting admin access to auditors breaks security best practices and is unnecessary when AWS provides audit reports.
The Technical Blueprint #
For SysOps, here is an example CLI command to retrieve compliance reports from AWS Artifact:
aws artifact get-report --report-name "PCI_DSS_3_2_1" --region us-east-1
Note: While AWS Artifact doesn’t have a public API for all reports, you typically download reports via the AWS Management Console under AWS Artifact.
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact on Security | Appropriateness for Compliance Evidence |
|---|---|---|---|---|
| A | Low | Manual/Portal | Minimal | Official and accepted source for AWS PCI DSS compliance reports |
| B | High | Possible via API | Moderate | Operational logs; not official compliance evidence |
| C | High | Possible via API | Low | Monitoring logs; irrelevant for AWS compliance audit |
| D | Very High | Not recommended | High risk | Security risk and violates least privilege; unnecessary |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always pick AWS Artifact when you see compliance documentation requests related to AWS infrastructure.”
Real World #
“In reality, teams augment AWS Artifact reports with their own CloudTrail logs and Systems Manager sessions to prove customer responsibility, but AWS’s PCI DSS reports come only from Artifact.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.