Explanation:
Options B and D are correct.
AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources. You can use the AWS managed Config rule restricted-ssh to check whether security groups in use disallow unrestricted incoming SSH traffic. If a security group allows SSH, it is marked as noncompliant (Option B).
To automatically remediate this, you can configure the AWS Config rule to trigger a remediation action using an AWS Systems Manager Automation runbook (like AWS-DisablePublicAccessForSecurityGroup), which will automatically close the port (Option D).
CloudWatch alarms (Option A) are used for metrics, not configuration auditing. Amazon Inspector (Option C) is primarily for vulnerability management inside EC2, not directly for automated security group remediation. Systems Manager Run Command (Option E) runs commands inside the OS, whereas security group changes happen at the AWS API level using Automation runbooks.
Ultimate access to all questions.
A company wants to monitor the security groups of its Amazon EC2 instances to ensure that SSH is not open to the public. If the port is opened, the company needs to close the port as soon as possible. Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)
A
Add an Amazon CloudWatch alarm to detect the security groups that allow SSH.
B
Add an AWS Config rule to detect the security groups that allow SSH.
C
Add an assessment template to Amazon Inspector to detect the security groups that allow SSH.
D
Call an AWS Systems Manager Automation runbook to close the port.
E
Call AWS Systems Manager Run Command to close the port.
No comments yet.