SCS-C03 · Question #13
SCS-C03 Question #13: Real Exam Question with Answer & Explanation
The correct answer is A: Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an. Explanation Option A is correct because AWS Config managed rules provide automated, continuous compliance monitoring for RDS encryption, and when combined with an AWS Config remediation action (using Systems Manager Automation), it can automatically terminate non-compliant instan
Question
A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
Options
- ACreate an AWS Config managed rule to detect unencrypted RDS storage. Configure an
- BCreate an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual
- CCreate an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the
- DCreate an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the
Explanation
Explanation
Option A is correct because AWS Config managed rules provide automated, continuous compliance monitoring for RDS encryption, and when combined with an AWS Config remediation action (using Systems Manager Automation), it can automatically terminate non-compliant instances and trigger an SNS email alert - all within a single, fully managed workflow requiring minimal operational overhead.
Why the distractors are wrong:
- Option B is incorrect because it uses a manual remediation action, which defeats the purpose of automation and increases operational burden - the question asks for the most operationally efficient solution.
- Options C & D use EventBridge to evaluate RDS event patterns, but EventBridge is reactive to specific events and may miss certain creation scenarios; AWS Config provides more comprehensive, continuous compliance evaluation specifically designed for resource configuration tracking.
Memory Tip 🧠
Think "Config = Compliance, Automate = Efficient" - whenever a question asks about detecting non-compliant resource configurations and automatically remediating them, AWS Config managed rules with automatic remediation is almost always the most operationally efficient answer. Manual steps = wrong answer on the exam!
Topics
Community Discussion
No community discussion yet for this question.