Q5 — AWS DOP-C02 Ch.3

Question 5 of 100 | ← Chapter 3

A company’s application development team uses Linux-based Amazon EC2 instances as bastion hosts. SSH access to the bastion hosts is restricted to specific IP addresses, as defined in associated security groups. If the security group rules are modified to allow SSH access from any IP address, the company’s security team wants to receive notifications. What should a DevOps engineer do to meet this requirement?

Correct Answer: C. Create an AWS Config rule using the restricted-ssh managed rule to check whether security groups prohibit unrestricted inbound SSH traffic. Configure auto-remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

Explanation

Among AWS services, AWS Config evaluates resource compliance against rules; its built-in restricted-ssh managed rule specifically detects whether security groups contain inbound rules allowing unrestricted SSH traffic. When a security group rule is modified to permit SSH from any IP, AWS Config evaluates the resource state as NON_COMPLIANT. Configuring auto-remediation to publish this state change to an SNS topic enables real-time notification to the security team. Option A relies on CloudTrail events and requires additional filtering for specific modifications; Option B depends on threat detection rather than configuration compliance; Option D focuses on vulnerabilities rather than rule changes. Correct answer C directly leverages AWS Config’s compliance-checking mechanism, aligning precisely with the requirement.