Q81 — AWS DOP-C02 Ch.2

Question 81 of 100 | ← Chapter 2

A company uses a single AWS account to test applications on Amazon EC2 instances. The company has enabled AWS Config in the AWS account and activated the restricted-ssh AWS Config managed rule. The company needs an automated monitoring solution that sends notifications whenever any security group in the account violates the restricted-ssh rule. Notifications must include the name and ID of noncompliant security groups. A DevOps engineer has created an Amazon Simple Notification Service (Amazon SNS) topic and subscribed appropriate personnel.

Correct Answer: A. Create an Amazon EventBridge rule matching AWS Config evaluation results with NON_COMPLIANT status for the restricted-ssh rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish notifications to the SNS topic.

Explanation

This question tests integration of AWS Config, EventBridge, and SNS for real-time compliance notifications. AWS documentation states that AWS Config publishes configuration changes and compliance status as events to EventBridge. An EventBridge rule must match both the specific rule name (restricted-ssh) and NON_COMPLIANT status; an input transformer extracts metadata (e.g., security group name and ID) from the event and reformats the message before publishing to SNS. Option A correctly filters for the specific rule and uses input transformation to construct a tailored notification. Option B’s SNS filter policy cannot parse structured AWS Config event fields like security group identifiers. Option C unnecessarily invokes Systems Manager Run Command, which is irrelevant here. Option D lacks rule-specific filtering and would match all NON_COMPLIANT evaluations, not just restricted-ssh.