AWS Certified DevOps Engineer - Professional DOP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

AWS Certified DevOps Engineer - Professional DOP-C02 Exam - Question 42

A company's application development team uses Linux-based Amazon EC2 instances as bastion hosts. Inbound SSH access to the bastion hosts is restricted to specific IP addresses, as defined in the associated security groups. The company's security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address.

What should a DevOps engineer do to meet this requirement?

Show Answer
Correct Answer: C

To meet the requirement of receiving a notification if the security group rules are modified to allow SSH access from any IP address, the best solution is to create an AWS Config rule using the restricted-ssh managed rule. This rule checks whether security groups disallow unrestricted incoming SSH traffic (i.e., it verifies that the security group does not allow SSH access from 0.0.0.0/0). If a security group is found to be non-compliant with this rule (allowing SSH access from any IP address), it can trigger an automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. This precisely matches the need to be notified only when SSH access is allowed from any IP address, ensuring specific and targeted alerting.

Discussion

53 comments
Sign in to comment
ixdb
ixdb
Aug 13, 2023

A is right. The Config rule restricted-ssh will not check the ingress rule that use the CIDR other than 0.0.0.0/0 and not notify anyone.

csG13
csG13
Dec 13, 2023

A would send a notification for ANY change in the security group. The question clearly states that wants only when 0.0.0.0/0 is allowed. Therefore, should be C.

hoazgazh
hoazgazh
Apr 13, 2024

"a notification if the security group rules are modified to allow SSH access from any IP address" from any IP address => so A is correct, any change in SG should send noti

hoazgazh
hoazgazh
Apr 13, 2024

"a notification if the security group rules are modified to allow SSH access from any IP address" from any IP address => so A is correct, any change in SG should send noti

GripZA
GripZA
Apr 19, 2025

Exactly why it should be C, not A.

GripZA
GripZA
Apr 19, 2025

Why not A: this could catch changes to security groups, it wouldn't analyze the actual rule content to determine if it's an unrestricted SSH rule (0.0.0.0/0 on port 22).you’d need extra custom logic to parse events and check the CIDR and port range.

GripZA
GripZA
Apr 19, 2025

Why not A: this could catch changes to security groups, it wouldn't analyze the actual rule content to determine if it's an unrestricted SSH rule (0.0.0.0/0 on port 22).you’d need extra custom logic to parse events and check the CIDR and port range.

MarDog
MarDogOption: A
Jun 19, 2023

I'm going to have to go with A on this one: https://aws.plainenglish.io/detecting-modifications-to-aws-ec2-security-groups-2ef8989a3350 https://repost.aws/knowledge-center/monitor-security-group-changes-ec2

tartarus23
tartarus23Option: C
Jun 20, 2023

Explanation: AWS Config provides a wide range of predefined rules that evaluate whether your AWS resources comply with common best practices. The restricted-ssh managed rule checks whether security groups that are in use disallow unrestricted incoming SSH traffic.

MozzyRZA
MozzyRZAOption: C
Oct 27, 2023

Using an Amazon EventBridge rule with a source of aws.cloudtrail and event name AuthorizeSecurityGroupIngress would indeed detect changes to security group rules. However, it would notify for any change, not specifically when the rule allows SSH access from any IP address. AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources. The restricted-ssh managed rule specifically checks whether security groups disallow unrestricted incoming SSH traffic, which is exactly what the requirement is. Configuring automatic remediation to publish a message to an Amazon SNS topic would notify the security team when this non-compliant change is detected.

Diego1414
Diego1414Option: C
Feb 29, 2024

Answer : C Keyword "allow SSH access from any IP address" A will send notification for any change made to the SG not just SSH

User avatar
AnonymousOption: C
Mar 15, 2024

A is not meet the following requirements: `if the security group rules are modified to allow ssh access FROM ANY IP ADDRESS`

alce2020
alce2020Option: C
Apr 16, 2023

I'll go for C although A could work too

2pk
2pkOption: A
May 16, 2023

Option A is the correct solution, Creating an AWS Config rule using the restricted-ssh managed rule (option C) focuses on checking whether security groups disallow unrestricted incoming SSH traffic. So not C

TroyMcLure
TroyMcLureOption: A
May 26, 2023

I'm not sure of what's wrong with C, but I'd go with A because of this: "Create an EventsBridge rule to trigger when an API call is made to modify your security groups. Then, configure an Amazon SNS notification for events that match your rule." https://repost.aws/knowledge-center/monitor-security-group-changes-ec2

hanbj
hanbjOption: C
May 27, 2023

aws config's restricted-ssh is check 0.0.0.0/0 any open ssh port. https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html

madperro
madperroOption: C
Jun 15, 2023

C, AWS Config is the tool to check and manage configuration.

jason7
jason7Option: A
Aug 26, 2023

Option C: AWS Config is a service that can be used to audit AWS resources for compliance with security and compliance policies. However, the restricted-ssh managed rule only checks whether security groups disallow unrestricted incoming SSH traffic. It does not check whether security groups are modified to allow SSH access from any IP address.

vortegon
vortegonOption: C
Jan 31, 2024

only send notification if allow traffic from any address.

CloudHandsOn
CloudHandsOnOption: C
Feb 29, 2024

I'll go with C. AWS config can help with that SG change detection. Then, we can just send a notification.

herohiro
herohiroOption: A
Apr 17, 2023

A is correct. C is incorrect because the restricted-ssh managed rule checks for the presence of unrestricted incoming SSH traffic, not changes to security group rules. https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html

Akaza
Akaza
May 24, 2023

I'll go A C creating an AWS Config rule using the restricted-ssh managed rule would help check if security groups disallow unrestricted incoming SSH traffic, but it does not specifically notify when changes occur to allow SSH access from any IP address

User avatar
AnonymousOption: C
May 31, 2023

I think C is the correnct answer, let's see the restricted-ssh rule documentation: "Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4. Identifier: INCOMING_SSH_DISABLED Resource Types: AWS::EC2::SecurityGroup Trigger type: Configuration changes" Why not A? well, A would catch an event and trigger it on any modification of a security group inbound rules. The question wants to be notified only about SSH unrestricted. While there are ways to do it with EventBridge, the answer does not contain any detail. However, C is a complete solution to the problem.

rdoty
rdotyOption: C
May 31, 2023

It is definitely C: https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html#:~:text=Checks%20if%20the%20incoming%20SSH%20traffic%20for%20the%20security%20groups%20is%20accessible.%20The%20rule%20is%20COMPLIANT%20when%20IP%20addresses%20of%20the%20incoming%20SSH%20traffic%20in%20the%20security%20groups%20are%20restricted%20(CIDR%20other%20than%200.0.0.0/0).%20This%20rule%20applies%20only%20to%20IPv4.

s50600822
s50600822
Aug 2, 2023

From a security perspective, C is not safe enough since it's looking for 0.0.0.0/0 https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html Though A potentially is better if the check look for IPs that are outside of allowed address, it doesn't clearly say that either... so no idea.

cocegas
cocegasOption: C
Aug 31, 2023

I think it is C. This statement "The company's security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address." means an entry lfrom 0.0.0.0/0, which the AWS config checks.

RVivek
RVivekOption: C
Sep 21, 2023

Please ginore my earlier comments The anwer is C. 1. A will send email notification for any security group change. Requirement is notification of unrestricted ssh access 2. SSH access from any IP address means entire internet ( 0.0.0.0/0)

Geetar
GeetarOption: C
Oct 19, 2023

Config does this out of the box. It seems some people don't get what 0.0.0.0/0 means in networking terms. It is the cidr for 'any' IP address.

YR4591
YR4591Option: C
Oct 23, 2023

C, "any" means 0.0.0.0/0

zolthar_z
zolthar_zOption: C
Nov 21, 2023

C: Because this link shows the changes with Event Bridge but the source is EC2 no cloudtrail https://repost.aws/knowledge-center/monitor-security-group-changes-ec2

a54b16f
a54b16fOption: C
Jan 15, 2024

keyword: "ANY"

Cervus18
Cervus18Option: C
Mar 20, 2024

restricted-ssh : The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT. https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html That addresses exactly the requirement !

jamesf
jamesfOption: C
Aug 5, 2024

keywords: Inbound SSH access C restricted for SSH port (22) only from ANY address

anuvindhs
anuvindhs
Oct 9, 2024

C is the answer : https://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html

Impromptu
ImpromptuOption: C
Nov 20, 2024

A: Would send a message to SNS for every change, so not only SSH but all other ports/services. This would be too much. I do get the other comments that C would only notify for 0.0.0.0/0 but I think that is what the question is trying to state with "any IP".

teo2157
teo2157Option: C
Jan 21, 2025

The key point here is "allow SSH access from any IP address" which is exactly "the restricted-ssh managed rule", said that, it's C

vherman
vhermanOption: C
May 4, 2023

C is correct

User avatar
AnonymousOption: C
May 13, 2023

C works better, as A will trigger for any inbound rule, while asks is for 22 only

rhinozD
rhinozDOption: C
Jun 13, 2023

I think A could work but AuthorizeSecurityGroupIngress is a little bit wider. if someone modifies(or adds a rule) the inbound rule to non-0.0.0.0/0, it'll send a notification too. So, I'll go with C.

RVivek
RVivekOption: A
Aug 28, 2023

A alerts if any IP address is added to allowed IP address. C- Alerts only if SSH is allowed to entire internet 0.0.0.0/0

RVivek
RVivek
Sep 21, 2023

Sorry The anwer is C. 1. A will send email notification for any security group change. Requirement is notification of unrestricted ssh access 2. SSH access from any IP address means entire internet ( 0.0.0.0/0)

bugincloud
bugincloudOption: A
Sep 20, 2023

IMO A should be the answer, https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html Option C is only correct if the CIDR for ssh is 0.0.0.0/0. (Although in option A the eventbridge rule source should be aws.ec2)

Dushank
DushankOption: A
Sep 22, 2023

1 The best solution to meet this requirement is to create an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress. This will allow you to receive a notification whenever a security group ingress rule is created or modified.

Coffeinerd
Coffeinerd
Nov 9, 2023

C. Formulation and wording points to ANY IP adress (0.0.0.0/0) CIDR block. So A will notify on all changes.

kyuhuck
kyuhuck
Feb 20, 2024

a is right~~~~ https://aws.amazon.com/premiumsupport/knowlege-center/monitor-security-group-cahnge-ec2/

4555894
4555894Option: A
Mar 8, 2024

https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/

zijo
zijo
Mar 21, 2024

Answer is C The restricted-ssh managed rule in AWS Config helps ensure your bastion host security groups are locked down for SSH access. It specifically checks if incoming SSH traffic is accessible for the security groups. The rule is considered COMPLIANT if: SSH access is not open to the public (meaning the rule doesn't find a security group allowing 0.0.0.0/0 for port 22). SSH access is restricted to specific IP addresses or security groups using CIDR notation (e.g., 10.0.0.0/16). If the rule detects a security group allowing SSH access from anywhere (0.0.0.0/0), it triggers a NON_COMPLIANT status.

c3518fc
c3518fc
Apr 12, 2024

Yeah, but has nothing to do with anyone changing it. A is your answer because it detects changes and sends out an email notification

c3518fc
c3518fcOption: A
Apr 12, 2024

A. This is the correct solution because it leverages Amazon EventBridge to monitor for changes to the security group rules, specifically the AuthorizeSecurityGroupIngress event, which indicates that the security group rules have been modified to allow SSH access from any IP address. By creating an EventBridge rule with the appropriate event pattern and defining an Amazon SNS topic as the target, the DevOps engineer can ensure that the security team receives a notification whenever the security group rules are modified in an undesirable way.

seetpt
seetptOption: C
May 1, 2024

i vote for c

liuyomz
liuyomzOption: C
May 13, 2024

C makes way more sense from the way AWS wants us to do it

Sodev
SodevOption: A
May 21, 2024

I think keyword for C must be "ALL". ANY means when new IP is added to security group, so SNS will be triggered

flaacko
flaacko
Aug 18, 2024

In the context of AWS when you see ANY IP address, it is probably referring to the 0.0.0.0/0 CIDR block which allows traffic from all or any IP address from the internet. When you use the restricteded-ssh managed rule, Security Groups will be labelled as NON_COMPLIANT when they allow unrestricted SSH traffic from anywhere or any IP address (0.0.0.0/0).

steli0
steli0Option: C
Nov 25, 2024

A would be right if the "ANY" word describing all IPs (0.0.0.0/0) wasn't there. CloudTrail will notify you for any SG rule change.

Geetar
Geetar
Oct 19, 2023

I'm going with C, as the config rule checks for ssh access from 'any' aka 0.0.0.0/0 which is the requirement. A will notify on any action on a security group.

shehenshah14
shehenshah14Option: A
Nov 24, 2023

A should be right C would not change to non-compliant if someone modifies the IP address to their own IP address, it only makes non-compliant when IP chosen to be 0.0.0.0/0

helloworld_2024
helloworld_2024Option: A
Dec 26, 2023

a is right

thanhnv142
thanhnv142
Jan 30, 2024

C is correct: only send noti if allow traffic from any address.

thanhnv142
thanhnv142
Jan 30, 2024

A: is an event type about changing security group rules. It would send noti if there is any changes in security group

TioChico
TioChicoOption: A
Jul 4, 2024

A is right

shammous
shammous
Jul 27, 2024

A! "AWS Config provides rules such as restricted-ssh that can be used to detect Security Groups that have SSH access open for any IP".

BrusingWayne
BrusingWayne
Nov 20, 2024

Option C (Incorrect): AWS Config rules are good for ongoing compliance checks, but they don't provide real-time notifications for changes. Config rules run periodically, which could result in a delay between the change and the notification. The automatic remediation aspect is not required in this scenario and could potentially interfere with legitimate changes. Hence, it is Option A.

teo2157
teo2157Option: C
Nov 27, 2024

Very, very, very hard question. I think the key point here is the ANY, based on that, it's C