Q54 — AWS DOP-C02 Ch.1
Question 54 of 100 | ← Chapter 1
A company’s application development team uses Linux-based Amazon EC2 instances as bastion hosts. SSH access to the bastion hosts is restricted to specific IP addresses, as defined in associated security groups. If the security group rules are modified to allow SSH access from any IP address, the company’s security team wants to be notified.
- A. Create an Amazon EventBridge rule using the aws.cloudtrail source and event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target. ✓
- B. Enable Amazon GuardDuty and review security group findings in AWS Security Hub. Configure an Amazon EventBridge rule with a custom pattern matching GuardDuty events with output NON_COMPLIANT.
- C. Create an AWS Config rule using the restricted-ssh managed rule to check whether security groups allow unrestricted inbound SSH traffic. Configure automatic remediation to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
- D. Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures-1.1 rule package to assess the security group associated with the bastion host. Configure Amazon Inspector to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
Correct Answer: A. Create an Amazon EventBridge rule using the aws.cloudtrail source and event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
Explanation
Option A is correct because modifying security group rules to allow unrestricted SSH access triggers the AuthorizeSecurityGroupIngress CloudTrail event, which can be captured in near real time by an EventBridge rule and forwarded to an SNS topic for immediate notification. Option C is incorrect because the restricted-ssh managed rule evaluates the *current state* of security groups—not changes to them—and does not detect rule modifications. Option B is incorrect because GuardDuty does not generate findings specifically for security group rule changes. Option D is incorrect because Amazon Inspector assesses vulnerabilities and configurations—not real-time security group mutations. Therefore, Option A is the precise, lightweight, and effective solution.