Automated Security Remediation Design — AWS SysOps Administrator (SOA-C03)
Detection Without Remediation Is an Incomplete Architecture
Requirement: automatically detect and remediate non-compliant S3 buckets with public access enabled. Competing designs: GuardDuty finding routed to SNS vs. AWS Config Rule with Lambda auto-remediation. The deciding constraint is action scope. GuardDuty detects behavioral threats — it does not evaluate or enforce resource configuration state. Config Rules assess configuration compliance and can trigger automated correction. When the scenario demands automatic fix rather than alert, Config is the control plane.
What This Pattern Tests
The exam tests automated remediation pipeline design. AWS Config rules evaluate resource configurations continuously. When a rule detects non-compliance (S3 bucket without encryption, security group with 0.0.0.0/0 SSH), SSM Automation or Lambda remediates automatically. Config records the compliance timeline. CloudTrail records the remediation API calls. The trap is designing detection without remediation, or remediation without audit logging. The exam expects all three: detect, fix, prove you fixed it.
Decision Axis
Remediation speed (immediate auto-fix vs. notification and manual review) vs. change control requirements (some environments require approval before auto-remediation).
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether to configure the AWS Config remediation action to invoke an SSM Automation document (AWS-managed, no custom code) or a Lambda function (custom code, deployment pipeline, IAM surface) as the remediation executor.
Domain Coverage
Difficulty Breakdown