Q16 — AWS DOP-C02 Ch.2

Question 16 of 100 | ← Chapter 2

A company uses a single AWS account to test an application on Amazon EC2 instances. The company has enabled AWS Config in the AWS account and activated the restricted-ssh AWS Config managed rule. The company requires an automated monitoring solution that sends a custom notification whenever any security group in the account violates the restricted-ssh rule. The custom notification must include the name and ID of the noncompliant security group. A DevOps engineer has created an Amazon Simple Notification Service (Amazon SNS) topic in the account and subscribed appropriate personnel to it. What should the DevOps engineer do next to meet these requirements?

Correct Answer: A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches NON_COMPLIANT AWS Config evaluation results for the restricted-ssh rule. Configure an input transformer for the EventBridge (CloudWatch Events) rule. Configure the EventBridge (CloudWatch Events) rule to publish notifications to the SNS topic.

Explanation

Option A is correct. First, creating an Amazon EventBridge rule that matches NON_COMPLIANT AWS Config evaluation results specifically for the restricted-ssh rule ensures accurate detection of violations. Configuring an input transformer allows processing and formatting of the event data to meet custom notification requirements. Finally, configuring the EventBridge rule to publish to the pre-created and subscribed SNS topic satisfies the requirement for real-time custom notifications containing the noncompliant security group name and ID. Other options either fail to target the specific rule’s noncompliance accurately or use less direct and efficient implementation methods.