Free AWS SOA-C03 Actual Exam Questions - Question 2 Discussion
versions of a service. A security audit finds that instances contain inconsistent and unapproved
modules.
A CloudOps engineer must create a new instance image that contains only approved software.
Which solution will meet these requirements?
It’s D because Detective and GuardDuty don’t manage AMIs or software deployment, and Run Command just updates running instances without ensuring image consistency.
It’s D, since only Image Builder guarantees a clean, repeatable image with approved software.
It’s D, since Image Builder automates consistent AMI creation, unlike manual or patch-based methods.
I think option C might not solve the root problem since applying approved modules on running instances doesn’t prevent leftover unapproved ones. The question stresses creating a new image with only approved software, so fixing current instances isn’t enough. Options A and B feel off because they focus on detection, not building a clean AMI. D stands out since EC2 Image Builder can automate building and testing an image, ensuring consistency. But does the scenario imply they have a CI/CD pipeline that can easily switch to a new AMI? That part isn’t clear. Would using Image Builder still be prac
I agree that A and B don’t really fit since they’re more about detection and monitoring rather than creating a clean image. C might seem okay since Systems Manager can install approved modules, but it’s still patching existing instances rather than ensuring a consistent baseline image. That inconsistency is the root issue here. The best way to guarantee every new instance starts with just the approved software sounds like using EC2 Image Builder, which automates creating a tested AMI. Would running an in-place update with Run Command really stop unapproved modules from sticking around long ter
It’s D. EC2 Image Builder automates creating and testing AMIs, so you get a reliable image with just the approved software—unlike run commands that patch running instances inconsistently.
It’s definitely not A or B since those focus on detection, not building a clean image. D’s the only one designed to produce a consistent, approved AMI, which solves the problem at the source.
It’s D because only EC2 Image Builder ensures a clean, approved baseline AMI for future instances.
Probably D. It’s the only option that builds a controlled, tested AMI from scratch, so you avoid inconsistent installs and ensure only approved software is included.
Sounds like they want a clean slate for new instances, so D fits best since it builds a tested AMI with only approved modules. Runs command in C might not stop unapproved modules from sneaking in later. D
C/D? C could help fix running instances by installing approved modules, but it doesn’t ensure a clean base image. D creates a consistent AMI to prevent unapproved modules from ever getting deployed, which seems more solid long-term.
B/D? B talks about GuardDuty creating AMIs, but I don’t think GuardDuty has that capability—it’s for threat detection, not image creation. So that seems off. D makes more sense because EC2 Image Builder is designed to automate building and testing AMIs with approved software, which fits the need for consistent instances. C could help fix running instances but won’t prevent new ones from having unapproved modules. So D is the proper way to create a controlled, repeatable image for deployments.
D, since EC2 Image Builder automates approved image creation and testing.
C/D? I get why D is solid for making sure new instances are clean from the start, but C could be a quick fix by pushing approved modules to existing instances and getting consistency without rebuilding images right away. Still, it doesn’t solve the root problem of manual installs causing drift over time. D’s approach with Image Builder seems more reliable long-term since it prevents unapproved modules from ever being part of the base image, unlike C which is more reactive.
Option D is the best fit since it ensures every new instance launches from an AMI that’s already vetted and approved, avoiding manual installs and inconsistencies. The others don’t really guarantee a clean, consistent baseline.
D/C? C could work by patching running instances, but it won’t fix the problem long-term or ensure new instances are clean. D makes sure every new instance starts with the approved software baked in, which seems safer.
Maybe D, since only EC2 Image Builder really standardizes the image with approved software.
It’s D because creating a standardized, tested AMI ensures every new instance is clean and consistent, unlike C which risks inconsistencies by patching live instances. Options A and B don’t actually build or enforce a clean image.
C/D? C updates running instances but doesn’t stop drift or guarantee consistency across new instances. D creates a clean, tested AMI ensuring every launch has only approved software, so it seems more reliable overall.
D is definitely the way to go. Options A and B just focus on detecting or scanning, not actually fixing the problem by building a clean image. C tries to patch running instances, which doesn’t prevent drift or inconsistent states. With Image Builder (D), you get a repeatable process that guarantees all instances start with the approved software pre-installed, which solves the inconsistency issue right from the start.