Q94 — AWS DOP-C02 Ch.1

Question 94 of 100 | ← Chapter 1

During a security audit, a company discovers some security groups allowing SSH traffic from 0.0.0.0/0. A security team wants to implement a solution to detect and remediate this issue as quickly as possible. The company uses AWS Organizations to centrally manage its security services across all AWS accounts.

Correct Answer: A. Enable AWS Config across all AWS accounts. Use a periodic trigger to invoke the vpc-sg-open-only-to-authorized-ports AWS Config managed rule. Create an AWS Lambda function to remediate any noncompliant resources.

Explanation

Allowing SSH (port 22) from 0.0.0.0/0 is a high-risk misconfiguration requiring rapid detection and automated remediation. In an AWS Organizations environment, AWS Config supports cross-account compliance monitoring. The managed rule vpc-sg-open-only-to-authorized-ports (formerly vpc-port-check) detects unrestricted SSH access. Option A uses this standardized, maintained rule with periodic evaluation and Lambda-based remediation—aligning with AWS Well-Architected Framework principles of continuous monitoring and automated correction. Option B deletes *all* security group rules, risking service disruption. Option C uses a custom rule, forfeiting AWS-maintained accuracy and updates. Option D introduces hourly delay, failing the 'as quickly as possible' requirement. Thus, option A is optimal.