Compliance And Audit Architecture — AWS SysOps Administrator (SOA-C03)
Audit Continuity Requires Specific Configuration, Not Just Enablement
Compliance scenarios use precise language: "tamper-evident," "all regions," and "continuous." Each phrase maps to a specific setting. "All regions" requires a multi-region CloudTrail trail with a centralized S3 destination. "Tamper-evident" requires log file validation enabled on that trail. "Continuous compliance" requires Config Rules packaged in a conformance pack. Treating "enable CloudTrail" as a complete compliance answer misses the configuration depth the scenario is explicitly testing.
What This Pattern Tests
The exam describes a compliance requirement and tests which service serves which function. AWS Config evaluates resource configurations against rules (is encryption enabled? is public access blocked?). CloudTrail records every API call for audit trails (who created this bucket? when was the policy changed?). GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS logs for threat detection (cryptocurrency mining, compromised credentials). Security Hub aggregates findings from Config, GuardDuty, Inspector, and third-party tools into a compliance score. The trap is using GuardDuty for configuration compliance (that is Config) or CloudTrail for threat detection (that is GuardDuty).
Decision Axis
Compliance function determines the service: configuration compliance = Config, audit trail = CloudTrail, threat detection = GuardDuty, posture aggregation = Security Hub.
Associated Traps
More Top Traps on This Exam
Decision Rules
Select the continuous-compliance evaluation layer (AWS Config managed rule with SSM Automation auto-remediation) over an event-log layer (AWS CloudTrail with EventBridge alerting) when the requirement is ongoing resource-state detection plus automated enforcement rather than point-in-time API capture.
Domain Coverage
Difficulty Breakdown