Q100 — AWS DOP-C02 Ch.3

Question 100 of 100 | ← Chapter 3

A company’s developers use Amazon EC2 instances as remote workstations. The company is concerned that users might create or modify EC2 security group rules allowing unrestricted inbound access. A DevOps engineer must develop a solution to detect when users create unrestricted security group rules. The solution must detect security group rule changes nearly in real time, remove unrestricted rules, and send email notifications to the security team. The DevOps engineer has created an AWS Lambda function that accepts a security group ID as input, removes rules permitting unrestricted access, and sends notifications via Amazon Simple Notification Service (Amazon SNS). What should the DevOps engineer do next to meet the requirements?

Correct Answer: C. Create an Amazon EventBridge event rule with the default event bus as the source. Define an event pattern matching EC2 security group creation and modification events. Configure the rule to invoke the Lambda function.

Explanation

Amazon EventBridge (formerly CloudWatch Events) is the AWS service designed to monitor and respond to resource-level events across AWS services. EC2 security group creation and modification events (e.g., AuthorizeSecurityGroupIngress) are emitted to the default event bus. Option C correctly configures an EventBridge rule with an appropriate event pattern targeting those EC2 security group events and directly invokes the Lambda function—ensuring near real-time detection and remediation. Option A misuses SNS as an intermediary instead of direct event triggering; Option B’s scheduled invocation introduces latency and cannot guarantee real-time response; Option D unnecessarily overcomplicates the architecture since the default event bus already delivers relevant AWS service events. EventBridge event pattern integration with Lambda is the standard, recommended approach.