Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 42

A company's application development team uses Linux-based Amazon EC2 instances as bastion hosts. Inbound SSH access to the bastion hosts is restricted to specific IP addresses, as defined in the associated security groups. The company's security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address.

What should a DevOps engineer do to meet this requirement?

Create an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.

Enable Amazon GuardDuty and check the findings for security groups in AWS Security Hub. Configure an Amazon EventBridge rule with a custom pattern that matches GuardDuty events with an output of NON_COMPLIANT. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.

Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures-1.1 rules package to check the security groups that are associated with the bastion hosts. Configure Amazon Inspector to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

Correct Answer: C

To meet the requirement of receiving a notification if the security group rules are modified to allow SSH access from any IP address, the best solution is to create an AWS Config rule using the restricted-ssh managed rule. This rule checks whether security groups disallow unrestricted incoming SSH traffic (i.e., it verifies that the security group does not allow SSH access from 0.0.0.0/0). If a security group is found to be non-compliant with this rule (allowing SSH access from any IP address), it can trigger an automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. This precisely matches the need to be notified only when SSH access is allowed from any IP address, ensuring specific and targeted alerting.

Discussion

ixdb

A is right. The Config rule restricted-ssh will not check the ingress rule that use the CIDR other than 0.0.0.0/0 and not notify anyone.

csG13

A would send a notification for ANY change in the security group. The question clearly states that wants only when 0.0.0.0/0 is allowed. Therefore, should be C.

hoazgazh

"a notification if the security group rules are modified to allow SSH access from any IP address" from any IP address => so A is correct, any change in SG should send noti

MarDogOption: A

I'm going to have to go with A on this one: https://aws.plainenglish.io/detecting-modifications-to-aws-ec2-security-groups-2ef8989a3350 https://repost.aws/knowledge-center/monitor-security-group-changes-ec2

dznOption: C

A is not meet the following requirements: `if the security group rules are modified to allow ssh access FROM ANY IP ADDRESS`

Diego1414Option: C

Answer : C Keyword "allow SSH access from any IP address" A will send notification for any change made to the SG not just SSH

CloudHandsOnOption: C

I'll go with C. AWS config can help with that SG change detection. Then, we can just send a notification.

vortegonOption: C

only send notification if allow traffic from any address.

Cervus18Option: C

restricted-ssh : The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT. https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html That addresses exactly the requirement !

a54b16fOption: C

keyword: "ANY"

liuyomzOption: C

C makes way more sense from the way AWS wants us to do it

seetptOption: C

i vote for c

c3518fcOption: A

A. This is the correct solution because it leverages Amazon EventBridge to monitor for changes to the security group rules, specifically the AuthorizeSecurityGroupIngress event, which indicates that the security group rules have been modified to allow SSH access from any IP address. By creating an EventBridge rule with the appropriate event pattern and defining an Amazon SNS topic as the target, the DevOps engineer can ensure that the security team receives a notification whenever the security group rules are modified in an undesirable way.

4555894Option: A

https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/

kyuhuck

a is right~~~~ https://aws.amazon.com/premiumsupport/knowlege-center/monitor-security-group-cahnge-ec2/

TioChicoOption: A

A is right

SodevOption: A

I think keyword for C must be "ALL". ANY means when new IP is added to security group, so SNS will be triggered

zijo

Answer is C The restricted-ssh managed rule in AWS Config helps ensure your bastion host security groups are locked down for SSH access. It specifically checks if incoming SSH traffic is accessible for the security groups. The rule is considered COMPLIANT if: SSH access is not open to the public (meaning the rule doesn't find a security group allowing 0.0.0.0/0 for port 22). SSH access is restricted to specific IP addresses or security groups using CIDR notation (e.g., 10.0.0.0/16). If the rule detects a security group allowing SSH access from anywhere (0.0.0.0/0), it triggers a NON_COMPLIANT status.

c3518fc

Yeah, but has nothing to do with anyone changing it. A is your answer because it detects changes and sends out an email notification

thanhnv142

C is correct: only send noti if allow traffic from any address.

thanhnv142

A: is an event type about changing security group rules. It would send noti if there is any changes in security group