exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 183 discussion

A company has a compliance requirement that no security groups can allow SSH ports to be open to all IP addresses. A SysOps administrator must implement a solution that will notify the company’s SysOps team when a security group rule violates this requirement. The solution also must remediate the security group rule automatically.

Which solution will meet these requirements?

  • A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a security group changes. Configure the Lambda function to evaluate the security group for compliance, remove all inbound security group rules on all ports, and notify the SysOps team if the security group is noncompliant.
  • B. Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm to notify the SysOps team through an Amazon Simple Notification Service (Amazon SNS) topic when the metric is greater than 0. Subscribe an AWS Lambda function to the SNS topic to remediate the security group rule by removing the rule.
  • C. Activate the AWS Config restricted-ssh managed rule. Add automatic remediation to the AWS Config rule by using the AWS Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.
  • D. Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm for when the metric is greater than 0. Add an AWS Systems Manager action to the CloudWatch alarm to suspend the security group by using the Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook when the alarm is in ALARM state. Add an Amazon Simple Notification Service (Amazon SNS) topic as a second target to notify the SysOps team.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
28b8844
1 week, 5 days ago
Selected Answer: D
Option C is incomplete. It does not mention using AWS SNS for notification which is one of the key requirement.
upvoted 1 times
...
r2c3po
9 months, 1 week ago
Selected Answer: C
This solution combines AWS Config for rule evaluation, AWS Systems Manager Automation for automated remediation, and Amazon EventBridge for notification.
upvoted 3 times
...
Christina666
1 year, 2 months ago
Selected Answer: C
Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4. Identifier: INCOMING_SSH_DISABLED Resource Types: AWS::EC2::SecurityGroup Trigger type: Configuration changes
upvoted 1 times
mana25
1 year, 1 month ago
The solution also must remediate the security group rule automatically, where that option remediate the issue?
upvoted 1 times
mana25
1 year, 1 month ago
got it, with this part: DisablePublicAccessForSecurityGroup runbook
upvoted 1 times
...
...
...
tts1234
1 year, 9 months ago
Selected Answer: C
https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html
upvoted 4 times
jipark
1 year, 1 month ago
"AWS Config" do this !
upvoted 1 times
...
...
michaldavid
1 year, 9 months ago
Selected Answer: C
I go for C
upvoted 4 times
...
tyfta6
1 year, 9 months ago
Selected Answer: C
Vote for C
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago