ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 44 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 44
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is configured in each account. All accounts belong to either the Prod OU or the NonProd OU.

The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The company’s security team is subscribed to the SNS topic.

For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source.

Which solution will meet this requirement with the LEAST operational overhead?

  • A. Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic. Deploy the updated rule to the NonProd OU.
  • B. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.
  • C. Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU.
  • D. Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by masetromain at Jan. 13, 2023, 10:20 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
masetromain
Highly Voted 2 years, 6 months ago
Selected Answer: D
The solution that meets this requirement with the LEAST operational overhead is D. Configuring an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0, and applying the SCP to the NonProd OU. This solution would prevent the security group inbound rule from being created in the first place and will not require any additional steps or actions to be taken in order to remove the rule. This is less operationally intensive than modifying the EventBridge rule to invoke an AWS Lambda function, adding a Config rule or allowing the ec2:AuthorizeSecurityGroupIngress action with a specific IP.
upvoted 52 times
masetromain
2 years, 6 months ago
Option C does not meet the requirement that the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source. It only allows the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. It does not prevent the creation of a security group inbound rule that includes 0.0.0.0/0 as the source, it only allows for the ingress action on non-0.0.0.0/0 IPs. Option D is the best solution as it denies the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. This will prevent the creation of any security group inbound rule that includes 0.0.0.0/0 as the source.
upvoted 6 times
MikelH93
2 years, 1 month ago
the answer can't be C or D because aws:SourceIp condition key don't exist with SCP. So answer is A
upvoted 4 times
mifune
1 year, 2 months ago
You mean something like this? It's from the AWS portal... { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "192.0.2.0/24", "203.0.113.0/24" ] } } } }
upvoted 4 times
...
b3llman
1 year, 11 months ago
have you actually tested it? if you haven't, please do it and then comment.
upvoted 4 times
...
...
aokaddaoc
1 year, 8 months ago
I think the reason why C is wrong is not because C does not meet the requirement but simply because it is too strong: All users can do is to set ingress rule in SG and all other actions are all blocked. Both C and D results the same which users can no longer able to open port to 0.0.0.0/0, but D is more precise without blocking other actions.
upvoted 2 times
...
...
...
Maria2023
Highly Voted 2 years ago
Selected Answer: D
I literally just created the SCP and it works. I saw some comments that "ec2:AuthorizeSecurityGroupIngress action doesn't have any conditions" - that is not correct. This is my scp : { "Sid": "Statement1", "Effect": "Deny", "Action": [ "ec2:AuthorizeSecurityGroupIngress" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "aws:SourceIp": [ "0.0.0.0/0" ] } } }
upvoted 35 times
tgv
5 months, 3 weeks ago
Tested myself, but this blocks any attempt to create an ingress rule - not only ones that have 0.0.0.0/0 as a source. aws:SourceIp checks for the IP address of the requester https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip With these options, I think the only option that still stands is [A[. I don't like it because it adds management overhead and it's not preventive - it's reactive. But it seems like the only one which actually performs the task it was asked to perform.
upvoted 1 times
12db8b7
3 weeks, 1 day ago
A can't be because u can create the resource and then is deleted, the question ask to "needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source", in A scenario u can do it, just deletes the rule afterwards.
upvoted 1 times
...
...
b3llman
1 year, 11 months ago
Tested and confirmed!
upvoted 6 times
...
dqwsmwwvtgxwkvgcvc
1 year, 10 months ago
I guess proving D works doesn't show C is incorrect. I feel that both C and D could be correct because as CuteRunRun mentioned, the SCP deny is default. Just have one more question, what is the ec2:AuthorizeSecurityGroupIngress if the SourceIp is not 0.0.0.0/0?
upvoted 1 times
vn_thanhtung
1 year, 10 months ago
For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source. you think C can "remove the ability to create" carry ? SCP allow all by default?
upvoted 1 times
vn_thanhtung
1 year, 10 months ago
Sorry typo. you think C can "remove the ability to create" crazy ? SCP allow all by default
upvoted 1 times
...
...
...
longns
1 year, 9 months ago
This will deny all action create a inbound rule not only Inbound rule which have source ip "0.0.0.0/0"
upvoted 4 times
Malcnorth59
1 year, 1 month ago
I think that is incorrect. the SCP action is ec2:AuthorizeSecurityGroupIngress and specifically applies to ingress
upvoted 1 times
...
...
...
proawsk
Most Recent 2 months, 3 weeks ago
Selected Answer: B
B is correct, you cannot deny SG rule creation with SCP
upvoted 1 times
...
tgv
5 months, 3 weeks ago
Selected Answer: A
aws:SourceIp checks for the ip address of the requester - not the CIDR destination in the rule
upvoted 1 times
...
TorTo
5 months, 3 weeks ago
Selected Answer: D
The only correct answer is D. The questions states "to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source" A does not remove the ability, it only corrects the action. D is correct because it actually restricts the ability.
upvoted 2 times
...
altonh
6 months, 1 week ago
Selected Answer: A
Not D. See here: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html. Condition key aws:SourceIp is missing for ec2:AuthorizeSecurityGroupIngress
upvoted 1 times
...
grumpysloth
7 months ago
Selected Answer: A
You cannot use SCP to control SG rules
upvoted 1 times
...
chipimbiri
7 months, 3 weeks ago
Selected Answer: D
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html An Allow statement in an SCP can't have a Condition element at all.
upvoted 1 times
...
sashenka
9 months, 2 weeks ago
Selected Answer: A
Given that the aws:SourceIp condition key refers to the IP address of the principal making the request, and not the IP address specified in the security group rule, D is not appropriate for this scenario.
upvoted 3 times
attila9778
7 months, 2 weeks ago
But because of this B is the correct option.
upvoted 1 times
...
...
amministrazione
10 months, 3 weeks ago
D. Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.
upvoted 1 times
...
MAZIADI
11 months, 1 week ago
Selected Answer: D
Why Option D is Better than Option C: Explicit Deny vs. Implicit Allow: Option C allows the action unless the aws:SourceIp is 0.0.0.0/0. This creates an implicit allow policy, which means that if any condition is not met, the action is allowed. Option D uses an explicit deny, which is more secure and straightforward. An explicit deny ensures that if the condition is met (aws:SourceIp is 0.0.0.0/0), the action is blocked regardless of other permissions.
upvoted 3 times
...
asquared16
1 year ago
Selected Answer: A
It's A. Definitely A. Don't get confused.
upvoted 1 times
...
dzidis
1 year ago
Voting for A
upvoted 1 times
...
teo2157
1 year, 1 month ago
Selected Answer: A
It's A, D is incorrect as it shouldn´t be source IP but destination address
upvoted 1 times
...
Malcnorth59
1 year, 1 month ago
Selected Answer: D
Option D
upvoted 1 times
...
sse69
1 year, 2 months ago
Selected Answer: A
SourceIP is for requester IP address, not the CIDR referenced in the SG rule.
upvoted 3 times
...
Smart
1 year, 2 months ago
A (Incorrect): SG is created for a briefly. This goes against the question requirement of "remove the ability to create a security group inbound rule..." B (Incorrect): Regardless of rule, SGs can be created and remain non-complaint. C (Incorrect): See D D (Incorrect): SourceIP condition key of IAM policy is the requestor's IP address. This has nothing to do with SG's inbound rule's sourceIP. This won't allow creating any SG inbound rules when the requestor is making AWS API calls from anywhere (0.0.0.0/0). Just a crap question and choices.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel