KT-SYS Configuration drift

CSPM reports public SSH open on a prod instance that Terraform should manage privately. Fix?

Multiple choice — select one answer

Answer choices

  1. a. Revert drift via IaC pipeline, investigate manual change, and enforce policy-as-code guardrails
  2. b. Add the security group rule to the template so drift becomes permanent, without security or identity team coordination per policy.
  3. c. Disable CSPM because Terraform already ran successfully last year, without security or identity team coordination per policy.
  4. d. Snapshot the instance and advertise SSH in the security newsletter as a feature

Architectural breakdown & explanation

Drift from IaC baselines should be corrected and prevented with guardrails.

Correct answer(s): a. Revert drift via IaC pipeline, investigate manual change, and enforce policy-as-code guardrails

Exam domain: Configuration drift (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — System Hygiene bank. Run a full timed practice exam with domain-weighted random questions in your browser.