Q5 — AWS DOP-C02 Ch.3
Question 5 of 100 | ← Chapter 3
A company’s application development team uses Linux-based Amazon EC2 instances as bastion hosts. SSH access to the bastion hosts is restricted to specific IP addresses, as defined in associated security groups. If the security group rules are modified to allow SSH access from any IP address, the company’s security team wants to receive notifications. What should a DevOps engineer do to meet this requirement?
- A. Create an Amazon EventBridge rule with aws.cloudtrail as the source and the event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
- B. Enable Amazon GuardDuty and review security group findings in AWS Security Hub. Configure an Amazon EventBridge rule with a custom pattern matching GuardDuty events with output NON_COMPLIANT. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
- C. Create an AWS Config rule using the restricted-ssh managed rule to check whether security groups prohibit unrestricted inbound SSH traffic. Configure auto-remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. ✓
- D. Enable Amazon Inspector. Include the CVE-1.1 rule package to assess security groups associated with bastion hosts. Configure Amazon Inspector to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
Correct Answer: C. Create an AWS Config rule using the restricted-ssh managed rule to check whether security groups prohibit unrestricted inbound SSH traffic. Configure auto-remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Explanation
Among AWS services, AWS Config evaluates resource compliance against rules; its built-in restricted-ssh managed rule specifically detects whether security groups contain inbound rules allowing unrestricted SSH traffic. When a security group rule is modified to permit SSH from any IP, AWS Config evaluates the resource state as NON_COMPLIANT. Configuring auto-remediation to publish this state change to an SNS topic enables real-time notification to the security team. Option A relies on CloudTrail events and requires additional filtering for specific modifications; Option B depends on threat detection rather than configuration compliance; Option D focuses on vulnerabilities rather than rule changes. Correct answer C directly leverages AWS Config’s compliance-checking mechanism, aligning precisely with the requirement.