Q12 — AWS DOP-C02 Ch.1
Question 12 of 100 | ← Chapter 1
A company’s application development team uses Linux-based Amazon EC2 instances as bastion hosts. SSH access to bastion hosts is restricted to specific IP addresses defined in associated security groups. The security team wants to be notified if security group rules are modified to allow SSH access from any IP address.
- A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule using the aws.cloudtrail source and event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
- B. Enable Amazon GuardDuty and review security group findings in AWS Security Hub. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern matching GuardDuty events with findingType NON_COMPLIANT. Define an Amazon SNS topic as the target.
- C. Create an AWS Config rule using the 'restricted-ssh' managed rule to check whether security groups permit unrestricted inbound SSH traffic. Configure automatic remediation to publish a message to an Amazon SNS topic. ✓
- D. Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures (CVE)-1.1 rule package to assess security groups associated with bastion hosts. Configure Amazon Inspector to publish messages to an Amazon SNS topic.
Correct Answer: C. Create an AWS Config rule using the 'restricted-ssh' managed rule to check whether security groups permit unrestricted inbound SSH traffic. Configure automatic remediation to publish a message to an Amazon SNS topic.
Explanation
Reference: https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html