Security Default Assumption — AWS SysOps Administrator (SOA-C03)
You assumed a default security configuration that doesn't exist. Services often start permissive — know what you need to configure.
AWS Manages the Floor, Not the Ceiling
Questions that describe encryption, access control, or audit logging often use phrases like "automatically protected" or "managed service." Candidates interpret this as sufficient coverage. The exam distinguishes what AWS manages by default — physical security, hypervisor isolation, service-level encryption in transit — from what the customer must configure: KMS key policies, IAM least privilege, S3 bucket policies, CloudTrail enablement. Never read "managed" as "secured on your behalf."
The Scenario
The question asks how to ensure an existing S3 bucket does not allow public access. You answer "S3 Block Public Access is enabled by default, so no action is needed." True for buckets created after April 2023. But the scenario describes a bucket created in 2019 with existing bucket policies. Pre-2023 buckets may have public access enabled, and existing bucket policies that grant public read are not retroactively blocked. The correct answer is to explicitly enable S3 Block Public Access at the account level and review existing bucket policies for public access grants. The exam tests whether you know that new defaults do not apply retroactively to existing resources.
How to Spot It
- •AWS security defaults have changed over time. EBS volumes are now encrypted by default in new accounts (since 2024), but existing accounts need to enable the "EBS encryption by default" setting. New Security Groups allow all outbound traffic by default. Default VPC subnets auto-assign public IPs. Know what "default" actually means for each service.
- •Lambda functions have no VPC attachment by default — they run in AWS-managed VPCs with internet access. When you attach Lambda to your VPC, it loses internet access unless you add a NAT Gateway. The exam tests whether you know this default changes behavior when you add VPC configuration.
- •When the question says "existing" infrastructure, assume nothing about current configuration. Legacy resources have legacy defaults. The answer always involves explicit verification and configuration, not reliance on defaults.
Decision Rules
Whether to add a Security Group inbound rule (redundant given stateful tracking already permits return packets) or a NACL outbound rule covering ephemeral ports 1024-65535 (required because NACLs are stateless and do not track connection direction) to resolve the broken TCP session.
Whether the blocking control is the stateless NACL outbound rule table on subnet-B — which requires an explicit allow covering ephemeral ports 1024-65535 for return traffic — versus the stateful Security Group on the subnet-B EC2, which already implicitly permits return traffic the moment the inbound session was accepted, making any SG change unnecessary.
Domain Coverage
Difficulty Breakdown
Related Patterns