Q94 — AWS DOP-C02 Ch.1
Question 94 of 100 | ← Chapter 1
During a security audit, a company discovers some security groups allowing SSH traffic from 0.0.0.0/0. A security team wants to implement a solution to detect and remediate this issue as quickly as possible. The company uses AWS Organizations to centrally manage its security services across all AWS accounts.
- A. Enable AWS Config across all AWS accounts. Use a periodic trigger to invoke the vpc-sg-open-only-to-authorized-ports AWS Config managed rule. Create an AWS Lambda function to remediate any noncompliant resources. ✓
- B. Create an AWS Lambda function in each AWS account to delete all security group rules. Create an Amazon EventBridge rule to match security group update or creation events. Configure the Lambda function in each account as the rule’s target.
- C. Enable AWS Config across all AWS accounts. Create a custom AWS Config rule that runs on configuration change triggers. Configure the rule to invoke an AWS Lambda function to remediate any noncompliant resources.
- D. Develop an AWS Systems Manager Automation document in each account to check all security groups and delete noncompliant rules. Run the automation document hourly using an Amazon EventBridge scheduled rule.
Correct Answer: A. Enable AWS Config across all AWS accounts. Use a periodic trigger to invoke the vpc-sg-open-only-to-authorized-ports AWS Config managed rule. Create an AWS Lambda function to remediate any noncompliant resources.
Explanation
Allowing SSH (port 22) from 0.0.0.0/0 is a high-risk misconfiguration requiring rapid detection and automated remediation. In an AWS Organizations environment, AWS Config supports cross-account compliance monitoring. The managed rule vpc-sg-open-only-to-authorized-ports (formerly vpc-port-check) detects unrestricted SSH access. Option A uses this standardized, maintained rule with periodic evaluation and Lambda-based remediation—aligning with AWS Well-Architected Framework principles of continuous monitoring and automated correction. Option B deletes *all* security group rules, risking service disruption. Option C uses a custom rule, forfeiting AWS-maintained accuracy and updates. Option D introduces hourly delay, failing the 'as quickly as possible' requirement. Thus, option A is optimal.