Question 15 - AWS SCS-C03 Real Exam Questions [March 2026 Update]

Q: 15

A company has security requirements for Amazon Aurora MySQL databases regarding encryption, deletion protection, public access, and audit logging. The company needs continuous monitoring and real-time visibility into compliance status. Which solution will meet these requirements?

Options

Discussion

Ben H. Feb 14, 2026 1:24 pm

B , saw something like this in a mock, Config managed rules hit all the Aurora MySQL points needed.

SeasonedReviewer3221 Feb 17, 2026 10:29 pm

Leo D. Mar 2, 2026 2:28 am

Not C, since Security Hub config policies won't give deep Aurora MySQL rule checks. B is correct.

Ava G. Feb 20, 2026 6:16 pm

Probably B here, Config managed rules directly track those Aurora settings. C is more for aggregating results across services.

AaronX Mar 2, 2026 10:27 am

B imo. AWS Config's managed rules cover encryption, public access, deletion protection, and logging right out of the box for Aurora MySQL. You get real-time compliance without custom code. Pretty sure that's what they're asking for but let me know if I'm missing something.

Jamie Mar 2, 2026 1:58 am

Yeah, B. Config managed rules fit Aurora MySQL compliance checks.

Piya N. Mar 6, 2026 9:42 pm

B tbh, Config managed rules are made for this kind of continuous compliance on Aurora MySQL. Simple and does exactly what's needed.

Amelia F. Feb 27, 2026 7:38 am

B , since managed Config rules do all the compliance checks listed for Aurora MySQL. Keeps monitoring continuous and real-time.

Parker R. Feb 25, 2026 5:02 pm

Probably B here. AWS Config has those managed rules for Aurora MySQL that actually check encryption, public access, deletion protection, and audit logging individually. Security Hub is broader but doesn't give that Aurora-level granularity out of the box. Pretty confident but open to other thoughts if someone's seen a new Security Hub update.

CalmSec1547 Feb 19, 2026 11:45 am

B , Config managed rules are Aurora MySQL aware so fits the compliance ask better than C I think.

Be respectful. No spam.

Correct Answer:

Explanation

AWS Config is the primary service for assessing, auditing, and evaluating the configurations of AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. For this scenario, AWS Config provides managed rules that can specifically check Amazon Aurora instances for compliance with the stated security requirements. These rules include checks for public accessibility (rds-instance-public-access-check), storage encryption (rds-storage-encrypted), deletion protection (rds-instance-deletion-protection-enabled), and log exports (aurora-mysql-log-exports-enabled), providing the required continuous monitoring and real-time visibility into the compliance status.

Why Incorrect

A. Use AWS Audit Manager with a custom framework.

AWS Audit Manager is designed for collecting evidence for audits, not for real-time configuration monitoring and alerting. It often uses AWS Config as an evidence source.

C. Use AWS Security Hub configuration policies.

AWS Security Hub aggregates security findings and uses AWS Config rules for many of its checks. AWS Config is the foundational service that performs the actual configuration evaluation.

D. Use EventBridge and Lambda with custom metrics.

This is a custom-built solution that requires significant development and maintenance effort, whereas AWS Config provides a managed, out-of-the-box solution for this exact purpose.

---

References

1. AWS Config Documentation - rds-storage-encrypted: "Checks whether storage encryption is enabled for your Amazon Relational Database Service (Amazon RDS) DB instances."

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", rds-storage-encrypted.

2. AWS Config Documentation - rds-instance-deletion-protection-enabled: "Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled."

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", rds-instance-deletion-protection-enabled.

3. AWS Config Documentation - rds-instance-public-access-check: "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible."

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", rds-instance-public-access-check.

4. AWS Config Documentation - aurora-mysql-log-exports-enabled: "Checks if an Amazon Aurora MySQL DB cluster has the specified log types exported to Amazon CloudWatch Logs." (The specified log types can include 'audit').

Source: AWS Config Developer Guide, "List of AWS Config Managed Rules", aurora-mysql-log-exports-enabled.

5. AWS Config Documentation - What Is AWS Config?: "AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations."

Source: AWS Config Developer Guide, "What Is AWS Config?".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE