AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.

1. Explanation for Answer D: The solution that meets the requirement with the least operational overhead is to configure a Service Control Policy (SCP) that denies the `ec2:AuthorizeSecurityGroupIngress` action when the `aws:SourceIp` condition key is set to `0.0.0.0/0`. By applying this SCP to the NonProd OU, you effectively prevent any user or service within the accounts of the NonProd OU from creating or modifying security groups to allow inbound traffic from any IP address (0.0.0.0/0). This policy directly addresses the security concern without requiring additional monitoring or remediation processes, thus minimizing operational overhead. 2. The other options are not as effective or efficient: - Option A involves modifying the EventBridge rule to invoke a Lambda function, which adds complexity and operational overhead for monitoring and remediation. - Option B, adding the `vpc-sg-open-only-to-authorized-ports` AWS Config managed rule, does not specifically address the prevention of `0.0.0.0/0` as the source in security group rules. - Option C, configuring an SCP to allow `ec2:AuthorizeSecurityGroupIngress` only when `aws:SourceIp` is not `0.0.0.0/0`, is not as straightforward as denying the action when the source is `0.0.0.0/0`, and it could potentially allow unintended configurations if not managed carefully.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is configured in each account. All accounts belong to either the Prod OU or the NonProd OU. The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The company’s security team is subscribed to the SNS topic. For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source. Which solution will meet this requirement with the LEAST operational overhead?

Exam-Like

Last updated: March 2, 2026 at 14:04

Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic. Deploy the updated rule to the NonProd OU.

20.0%

Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.

0.0%

Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU.

10.0%

Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.

70.0%