AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
A company's application development team utilizes Linux-based Amazon EC2 instances configured as bastion hosts. These bastion hosts have inbound SSH access restricted to specific IP addresses, as defined in their associated security groups. The company's security team has requested a mechanism to be notified if any modifications to these security group rules result in allowing SSH access from any IP address. What solution should a DevOps engineer implement to fulfill this security requirement?
Exam-Like
A
Create an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
B
Enable Amazon GuardDuty and check the findings for security groups in AWS Security Hub. Configure an Amazon EventBridge rule with a custom pattern that matches GuardDuty events with an output of NON_COMPLIANT. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target._
C
Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
D
Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures-1.1 rules package to check the security groups that are associated with the bastion hosts. Configure Amazon Inspector to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Explanation:
Option A is the correct answer because creating an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress, and then defining an Amazon Simple Notification Service (Amazon SNS) topic as the target, directly addresses the requirement to notify the security team if the security group rules are modified. This method is effective because AWS CloudTrail logs API calls made in your AWS account, including changes to security groups, and EventBridge can be used to detect these changes and trigger notifications. The provided highly voted answer and references support this approach.
Comments
Loading comments...