SCS-C02 · Question #192
SCS-C02 Question #192: Real Exam Question with Answer & Explanation
The correct answer is A: Create an AWS Config custom rule to detect configuration changes to AWS resources. Create an. Note: The answer choices appear truncated in this question, which makes full evaluation difficult - but working from the stated correct answer and AWS service behavior: Why A, B, E are correct: Option A (AWS Config custom rule) provides continuous, event-driven detection of non-c
Question
A security administrator has enabled AWS Security Hub for all the AWS accounts in an organization in AWS Organizations. The security team wants near-real-time response and remediation for deployed AWS resources that do not meet security standards. All changes must be centrally logged for auditing purposes. The organization has reached the quotas for the number of SCPs attached to an OU and SCP document size. The team wants to avoid making any changes to any of the SCPs. The solution must maximize scalability and cost-effectiveness. Which combination of actions should the security administrator take to meet these requirements? (Choose three.)
Options
- ACreate an AWS Config custom rule to detect configuration changes to AWS resources. Create an
- BUse AWS Systems Manager Change Manager to track configuration changes to AWS resources.
- CCreate a Security Hub custom action to reference in an Amazon EventBridge event rule in the
- DCreate an Amazon EventBridge event rule to Invoke an AWS Lambda function that will take
- ECreate an Amazon EventBridge event rule to invoke an AWS Lambda function that will evaluate
- FCreate an Amazon EventBridge event rule to invoke an AWS Lambda function on a schedule to
Explanation
Note: The answer choices appear truncated in this question, which makes full evaluation difficult - but working from the stated correct answer and AWS service behavior:
Why A, B, E are correct: Option A (AWS Config custom rule) provides continuous, event-driven detection of non-compliant resource configurations, satisfying the near-real-time requirement without relying on SCPs. Option B (Systems Manager Change Manager) provides centralized tracking of all configuration changes across the organization, fulfilling the auditing requirement. Option E (EventBridge rule → Lambda that evaluates) enables automated, scalable, cost-effective remediation triggered immediately upon a Security Hub finding - the evaluate step ensures the Lambda acts with context before making changes.
Why the distractors fail: Option C (Security Hub custom action) requires a human to manually trigger the action, breaking the "near-real-time automated" requirement. Option D's Lambda "takes" action directly without evaluation, which is less scalable and risks incorrect remediation. Option F uses a scheduled Lambda, introducing delays that violate near-real-time response - polling is never as fast as event-driven.
Memory tip: Think "Detect → Evaluate → Remediate" - Config detects, EventBridge routes, Lambda evaluates-then-remediates. Anything requiring a human click (custom actions) or a clock tick (scheduled) cannot be "near-real-time automated."
Topics
Community Discussion
No community discussion yet for this question.