nerdexam
ExamsSOA-C02Questions#570
AmazonAmazon

SOA-C02 · Question #570

SOA-C02 Question #570: Real Exam Question with Answer & Explanation

The correct answer is A: Use an AWS Config rule to identify IAM access keys that are at least 30 days old. Configure AWS. Option A uses AWS Config's managed rule (access-keys-rotated) combined with automatic remediation, which provides a fully managed, event-driven pipeline - no custom code, no servers to maintain, and Config continuously evaluates compliance so keys are flagged and rotated on sched

Submitted by parkjh· Mar 30, 2026Security and Compliance

Question

A company is using AWS to deploy a critical application on a fleet of Amazon EC2 instances. The company is rewriting the application because the application failed a security review. The application will take 12 months to rewrite. While this rewrite happens, the company needs to rotate IAM access keys that the application uses. A SysOps administrator must implement an automated solution that finds and rotates IAM access keys that are at least 30 days old. The solution must then continue to rotate the IAM access keys every 30 days. Which solution will meet this requirement with the MOST operational efficiency?

Options

  • AUse an AWS Config rule to identify IAM access keys that are at least 30 days old. Configure AWS
  • BUse AWS Trusted Advisor to identify IAM access keys that are at least 30 days old. Configure
  • CCreate a script that checks the age of IAM access keys and rotates them if they are at least 30
  • DCreate an AWS Lambda function that checks the age of IAM access keys and rotates them if they

Explanation

Option A uses AWS Config's managed rule (access-keys-rotated) combined with automatic remediation, which provides a fully managed, event-driven pipeline - no custom code, no servers to maintain, and Config continuously evaluates compliance so keys are flagged and rotated on schedule without manual intervention.

Option B (Trusted Advisor) is wrong because Trusted Advisor is an advisory/recommendation tool; it surfaces findings but does not natively trigger automated remediation workflows, requiring additional manual steps.

Option C is wrong because a custom script needs compute infrastructure to run (e.g., a scheduled EC2 task or cron job), introducing operational overhead - patching, uptime, and scheduling management - that contradicts the "most operational efficiency" requirement.

Option D is wrong not because Lambda is bad, but because building a custom Lambda function to replicate what AWS Config's managed rule already does natively is unnecessary complexity; Config + auto-remediation eliminates the need to write and maintain that logic yourself.

Memory tip: When an AWS exam question asks for most operational efficiency around compliance checking and automated remediation, default to AWS Config managed rules + automatic remediation - it's AWS's purpose-built, zero-maintenance solution for "detect and fix" compliance scenarios.

Topics

#IAM Access Key Rotation#AWS Config#AWS Systems Manager Automation#Automated Remediation

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SOA-C02 PracticeBrowse All SOA-C02 Questions