Q89 — AWS DOP-C02 Ch.3
Question 89 of 100 | ← Chapter 3
A company uses a single AWS account to test applications on Amazon EC2 instances. The company has enabled AWS Config in the account and activated the `restricted-ssh` AWS Config managed rule. The company requires an automated monitoring solution that sends custom notifications whenever any security group in the account violates the `restricted-ssh` rule. Custom notifications must include the noncompliant security group’s name and ID. A DevOps engineer created an Amazon Simple Notification Service (Amazon SNS) topic and subscribed appropriate personnel. What should the DevOps engineer do next to meet these requirements?
- A. Create an Amazon EventBridge rule matching `NON_COMPLIANT` AWS Config evaluation results for the `restricted-ssh` rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish notifications to the SNS topic. ✓
- B. Configure AWS Config to send all evaluation results for the `restricted-ssh` rule to the SNS topic. Configure a filter policy on the SNS topic to deliver only notifications containing the text 'NON_COMPLIANT'.
- C. Create an Amazon EventBridge rule matching `NON_COMPLIANT` AWS Config evaluation results for the `restricted-ssh` rule. Configure the EventBridge rule to invoke AWS Systems Manager Run Command on the SNS topic to customize the notification and republish it to the SNS topic.
- D. Create an Amazon EventBridge rule matching all `NON_COMPLIANT` AWS Config evaluation results. Configure an input transformer for the `restricted-ssh` rule. Configure the EventBridge rule to publish notifications to the SNS topic.
Correct Answer: A. Create an Amazon EventBridge rule matching `NON_COMPLIANT` AWS Config evaluation results for the `restricted-ssh` rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish notifications to the SNS topic.
Explanation
Option A is correct. Amazon EventBridge rules can precisely detect and respond to specific events. Creating a rule matching only `NON_COMPLIANT` evaluations for the `restricted-ssh` rule ensures accurate, targeted detection. An input transformer formats the event payload to extract and include the noncompliant security group’s name and ID in the notification. Publishing directly to the preconfigured SNS topic delivers customized, actionable alerts immediately. Option B lacks filtering precision (all evaluations sent, then filtered post-hoc) and cannot enrich payloads with resource identifiers. Option C misuses Systems Manager Run Command, which is inappropriate for notification formatting. Option D matches *all* `NON_COMPLIANT` evaluations indiscriminately, not just those for `restricted-ssh`, violating specificity requirements.