Q54 — AWS DOP-C02 Ch.1

Question 54 of 100 | ← Chapter 1

A company’s application development team uses Linux-based Amazon EC2 instances as bastion hosts. SSH access to the bastion hosts is restricted to specific IP addresses, as defined in associated security groups. If the security group rules are modified to allow SSH access from any IP address, the company’s security team wants to be notified.

Correct Answer: A. Create an Amazon EventBridge rule using the aws.cloudtrail source and event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.

Explanation

Option A is correct because modifying security group rules to allow unrestricted SSH access triggers the AuthorizeSecurityGroupIngress CloudTrail event, which can be captured in near real time by an EventBridge rule and forwarded to an SNS topic for immediate notification. Option C is incorrect because the restricted-ssh managed rule evaluates the *current state* of security groups—not changes to them—and does not detect rule modifications. Option B is incorrect because GuardDuty does not generate findings specifically for security group rule changes. Option D is incorrect because Amazon Inspector assesses vulnerabilities and configurations—not real-time security group mutations. Therefore, Option A is the precise, lightweight, and effective solution.