Q81 — AWS DOP-C02 Ch.2
Question 81 of 100 | ← Chapter 2
A company uses a single AWS account to test applications on Amazon EC2 instances. The company has enabled AWS Config in the AWS account and activated the restricted-ssh AWS Config managed rule. The company needs an automated monitoring solution that sends notifications whenever any security group in the account violates the restricted-ssh rule. Notifications must include the name and ID of noncompliant security groups. A DevOps engineer has created an Amazon Simple Notification Service (Amazon SNS) topic and subscribed appropriate personnel.
- A. Create an Amazon EventBridge rule matching AWS Config evaluation results with NON_COMPLIANT status for the restricted-ssh rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish notifications to the SNS topic. ✓
- B. Configure AWS Config to send all evaluation results for the restricted-ssh rule directly to the SNS topic. Configure a filter policy on the SNS topic to deliver only notifications containing the text 'NON_COMPLIANT'.
- C. Create an Amazon EventBridge rule matching AWS Config evaluation results with NON_COMPLIANT status for the restricted-ssh rule. Configure the EventBridge rule to invoke an AWS Systems Manager Run Command on the SNS topic to customize the notification and publish it to the SNS topic.
- D. Create an Amazon EventBridge rule matching all AWS Config evaluation results with NON_COMPLIANT status. Configure an input transformer for the restricted-ssh rule. Configure the EventBridge rule to publish notifications to the SNS topic.
Correct Answer: A. Create an Amazon EventBridge rule matching AWS Config evaluation results with NON_COMPLIANT status for the restricted-ssh rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish notifications to the SNS topic.
Explanation
This question tests integration of AWS Config, EventBridge, and SNS for real-time compliance notifications. AWS documentation states that AWS Config publishes configuration changes and compliance status as events to EventBridge. An EventBridge rule must match both the specific rule name (restricted-ssh) and NON_COMPLIANT status; an input transformer extracts metadata (e.g., security group name and ID) from the event and reformats the message before publishing to SNS. Option A correctly filters for the specific rule and uses input transformation to construct a tailored notification. Option B’s SNS filter policy cannot parse structured AWS Config event fields like security group identifiers. Option C unnecessarily invokes Systems Manager Run Command, which is irrelevant here. Option D lacks rule-specific filtering and would match all NON_COMPLIANT evaluations, not just restricted-ssh.