Q75 — AWS SCS-C02 Ch.1
Question 75 of 100 | ← Chapter 1
A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.0/0. The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notication if any security group is noncompliant. A security engineer has congured AWS Cong and will use the restricted-ssh managed rule to monitor the security groups. What should the security engineer do next to meet these requirements?
- A. Congure AWS Cong to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Congure the Lambda function to parse the snapshot for a compliance change to the restricted-ssh managed rule. Congure the Lambda function to send a notication to an Amazon Simple Notication Service (Amazon SNS) topic if a change is discovered.
- B. Congure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Cong for the restricted-ssh managed rule. Congure the event rule to target an Amazon Simple Notication Service (Amazon SNS) topic that will provide a notication. ✓
- C. Congure AWS Cong to push all its compliance notications to Amazon CloudWatch Logs. Congure a CloudWatch Logs metric lter on the AWS Cong log group to look for a compliance notication change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric lter to send a notication to an Amazon Simple Notication Service (Amazon SNS) topic if the alarm is in the ALARM state.
- D. Congure an Amazon CloudWatch alarm on the CloudWatch metric for the restricted-ssh managed rule. Congure the CloudWatch alarm to send a notication to an Amazon Simple Notication Service (Amazon SNS) topic if the alarm is in the ALARM state.
Correct Answer: B. Congure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Cong for the restricted-ssh managed rule. Congure the event rule to target an Amazon Simple Notication Service (Amazon SNS) topic that will provide a notication.
Explanation
AWS Config与Amazon EventBridge的集成可以实时响应合规性事件。当AWS Config检测到资源不符合restricted-ssh规则时,会生成合规性变更事件。EventBridge通过规则匹配这些事件后,直接路由到Amazon SNS主题发送通知。选项B利用原生的事件驱动架构,无需中间数据处理步骤,确保了近实时性。其他选项涉及额外存储(S3)、批处理(Lambda)或间接日志分析(CloudWatch Logs),均引入延迟或复杂性。AWS官方文档指出,EventBridge是处理Config合规变更的首选方法,因其直接捕获和管理事件流。