Amazon SOA-C03 Exam - Topic 4 Question 10 Discussion

Actual exam question for Amazon's SOA-C03 exam

Question #: 10
Topic #: 4

A company runs applications on Amazon EC2 instances. The company wants to ensure that SSH ports on the EC2 instances are never open. The company has enabled AWS Config and has set up the restricted-ssh AWS managed rule.

A CloudOps engineer must implement a solution to remediate SSH port access for noncompliant security groups.

What should the engineer do to meet this requirement with the MOST operational efficiency?

AConfigure the AWS Config rule to identify noncompliant security groups. Configure the rule to use the AWS-PublishSNSNotification AWS Systems Manager Automation runbook to send notifications about noncompliant resources.

BConfigure the AWS Config rule to identify noncompliant security groups. Configure the rule to use the AWS-DisableIncomingSSHOnPort22 AWS Systems Manager Automation runbook to remediate noncompliant resources.

CMake an AWS Config API call to search for noncompliant security groups. Disable SSH access for noncompliant security groups by using a Deny rule.

DConfigure the AWS Config rule to identify noncompliant security groups. Manually update each noncompliant security group to remove the Allow rule.

Show Suggested Answer

Suggested Answer: B

The AWS Cloud Operations and Governance documentation specifies that AWS Config can be paired with AWS Systems Manager Automation runbooks for automatic remediation of noncompliant resources.

For SSH restrictions, the restricted-ssh managed rule detects any security group allowing inbound traffic on port 22. To automatically remediate these findings, AWS provides the AWS-DisableIncomingSSHOnPort22 runbook. This runbook programmatically removes inbound rules that allow port 22 traffic from affected security groups.

This approach achieves continuous compliance with minimal human intervention. By contrast, sending notifications (Option A) does not enforce remediation, API-based scripts (Option C) add operational overhead, and manual remediation (Option D) violates automation best practices.

Therefore, the most efficient CloudOps solution is Option B, using AWS Config with the AWS-DisableIncomingSSHOnPort22 automation runbook for automatic, scalable enforcement.

by Amina at Mar 05, 2026, 06:56 PM

Limited Time Offer

25%

Off

Get Premium SOA-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!