Answer-first summary for fast verification
Answer: Configure an automatic remediation action on the AWS Config rule. Specify the AWS-DisableIncomingSSHOnPort22 remediation action.
AWS Config allows you to configure automatic remediation actions for noncompliant resources using AWS Systems Manager Automation documents. Using the managed document `AWS-DisableIncomingSSHOnPort22` is the most operationally efficient solution because it eliminates the need to develop, deploy, and maintain custom Lambda functions or EventBridge rules.
Author: Ritesh Yadav
Ultimate access to all questions.
Question #58
A company's security policy requires incoming SSH traffic to be restricted to a defined set of addresses. The company is using an AWS Config rule to check whether security groups allow unrestricted incoming SSH traffic. A CloudOps engineer discovers a noncompliant resource and fixes the security group manually. The CloudOps engineer wants to automate the remediation of other noncompliant resources.
What is the MOST operationally efficient solution that meets these requirements?
A
Create an Amazon CloudWatch alarm for the AWS Config rule's status metric. Create an AWS Lambda function that can remove the noncompliant rule from the security group. Configure the alarm action to invoke the Lambda function.
B
Configure an automatic remediation action on the AWS Config rule. Specify the AWS-DisableIncomingSSHOnPort22 remediation action.
C
Configure an Amazon EventBridge rule for AWS Config configuration item change events. Create an AWS Lambda function that can remove the noncompliant rule from the security group. Configure the rule to invoke the Lambda function.
D
Create an AWS Lambda function that can analyze a security group's inbound rules to check for unrestricted SSH access. Configure the Lambda function to remove the noncompliant rule from the security group. Configure an Amazon EventBridge rule to invoke the Lambda function every hour.
No comments yet.