Exam SAP-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 44

A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is configured in each account. All accounts belong to either the Prod OU or the NonProd OU.

The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The company’s security team is subscribed to the SNS topic.

For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source.

Which solution will meet this requirement with the LEAST operational overhead?

    Correct Answer: D

    The correct solution is to configure an SCP (Service Control Policy) to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Applying this SCP to the NonProd OU will prevent the creation of any security group inbound rule that includes 0.0.0.0/0 as the source IP. This approach meets the requirement with the least operational overhead as it proactively blocks the undesirable action at the policy enforcement level, avoiding the need for reactive measures or additional steps to remove such rules after creation.

Discussion
masetromainOption: D

The solution that meets this requirement with the LEAST operational overhead is D. Configuring an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0, and applying the SCP to the NonProd OU. This solution would prevent the security group inbound rule from being created in the first place and will not require any additional steps or actions to be taken in order to remove the rule. This is less operationally intensive than modifying the EventBridge rule to invoke an AWS Lambda function, adding a Config rule or allowing the ec2:AuthorizeSecurityGroupIngress action with a specific IP.

masetromain

Option C does not meet the requirement that the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source. It only allows the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. It does not prevent the creation of a security group inbound rule that includes 0.0.0.0/0 as the source, it only allows for the ingress action on non-0.0.0.0/0 IPs. Option D is the best solution as it denies the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. This will prevent the creation of any security group inbound rule that includes 0.0.0.0/0 as the source.

MikelH93

the answer can't be C or D because aws:SourceIp condition key don't exist with SCP. So answer is A

b3llman

have you actually tested it? if you haven't, please do it and then comment.

mifune

You mean something like this? It's from the AWS portal... { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "192.0.2.0/24", "203.0.113.0/24" ] } } } }

aokaddaoc

I think the reason why C is wrong is not because C does not meet the requirement but simply because it is too strong: All users can do is to set ingress rule in SG and all other actions are all blocked. Both C and D results the same which users can no longer able to open port to 0.0.0.0/0, but D is more precise without blocking other actions.

Maria2023Option: D

I literally just created the SCP and it works. I saw some comments that "ec2:AuthorizeSecurityGroupIngress action doesn't have any conditions" - that is not correct. This is my scp : { "Sid": "Statement1", "Effect": "Deny", "Action": [ "ec2:AuthorizeSecurityGroupIngress" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "aws:SourceIp": [ "0.0.0.0/0" ] } } }

b3llman

Tested and confirmed!

dqwsmwwvtgxwkvgcvc

I guess proving D works doesn't show C is incorrect. I feel that both C and D could be correct because as CuteRunRun mentioned, the SCP deny is default. Just have one more question, what is the ec2:AuthorizeSecurityGroupIngress if the SourceIp is not 0.0.0.0/0?

vn_thanhtung

For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source. you think C can "remove the ability to create" carry ? SCP allow all by default?

vn_thanhtung

Sorry typo. you think C can "remove the ability to create" crazy ? SCP allow all by default

longns

This will deny all action create a inbound rule not only Inbound rule which have source ip "0.0.0.0/0"

Malcnorth59

I think that is incorrect. the SCP action is ec2:AuthorizeSecurityGroupIngress and specifically applies to ingress

gustori99Option: A

Everybody who voted D. Just test it yourself and you will see that it does not work. Pleas understand the meaning of aws:sourceIp. From the AWS documentation: "The aws:SourceIp condition key resolves to the IP address that the request originates from". The aws:sourceIp condition checks the IP address of the requestor and has nothing to do with the security group sourceIp configuration. The comment from Maria2023 who claims to have tested it is wrong because her suggested SCP denies all inbound rule creation even if you try to configure a specific IP address in the inbound rule. Although I disagree with the wording from option A "Deploy the updated rule to the NonProd OU", A is the only possible answer.

sse69Option: A

SourceIP is for requester IP address, not the CIDR referenced in the SG rule.

DafukubaiOption: A

To everyone who claimed tested D, plz try create inbound rules other than 0.0.0.0/0. D will deny all AuthorizeSecurityGroupIngress operation from your IP. that's why D is "worked"

Smart

A (Incorrect): SG is created for a briefly. This goes against the question requirement of "remove the ability to create a security group inbound rule..." B (Incorrect): Regardless of rule, SGs can be created and remain non-complaint. C (Incorrect): See D D (Incorrect): SourceIP condition key of IAM policy is the requestor's IP address. This has nothing to do with SG's inbound rule's sourceIP. This won't allow creating any SG inbound rules when the requestor is making AWS API calls from anywhere (0.0.0.0/0). Just a crap question and choices.

Dgix

A is out because creation of the SG is allowed albeit briefly before being updated B is noise C is out because SCPs don't allow D is the correct answer

8608f25Option: D

Option D is the most direct and efficient solution. By creating an SCP that explicitly denies the ec2:AuthorizeSecurityGroupIngress action when the source IP is 0.0.0.0/0, it prevents users in all accounts under the NonProd OU from creating such open security group rules. This enforcement happens at the API level, blocking the action before the rule is created, which aligns with the goal of reducing operational overhead and proactively enforcing security best practices. It is not option C because, Option C mentions configuring a Service Control Policy (SCP) to allow the ec2:AuthorizeSecurityGroupIngress action except when the source IP is 0.0.0.0/0. While the intention is correct, SCPs do not support allow-listing in this manner; they are designed to explicitly allow or deny actions across accounts in an AWS Organization.

asquared16Option: A

It's A. Definitely A. Don't get confused.

dzidis

Voting for A

teo2157Option: A

It's A, D is incorrect as it shouldn´t be source IP but destination address

Malcnorth59Option: D

Option D

mav3r1ckOption: D

The goal is to prevent the creation of Amazon EC2 security group inbound rules that include 0.0.0.0/0 as the source for all accounts in the NonProd Organizational Unit (OU) with the least operational overhead. Option D is the most straightforward and effective solution to meet the requirement with the least operational overhead. By configuring a Service Control Policy (SCP) to deny the ec2:AuthorizeSecurityGroupIngress action when the aws:SourceIp condition key is 0.0.0.0/0 and applying this policy to the NonProd OU, the company can ensure that no account within this OU can create security group inbound rules that expose resources to the entire internet. This approach leverages AWS Organizations' capability to apply governance and compliance policies at scale, thereby reducing the need for individual resource monitoring or post-creation remediation.

gofavad926Option: D

D is going to avoid to create the rule. A is not going to prevent, is going to remediate it...

LazyAutonomyOption: A

Read the most recent comments to understand why it isn't B, C or D.

Vaibs099

It has to be A, In option C and D, aws:SourceIp Use this key to compare the requester's IP address with the IP address that you specify in the policy. This is the condition not available for ec2:AuthorizeSecurityGroupIngress. It is condition to be used with Properties of the network. Option is B is just a config rule for unauthorized port. Only A can remove ingress rule out of these options. Below confirming this condition is not available for ec2:AuthorizeSecurityGroupIngress https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html Below confirming use of aws:SourceIp - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip

master9Option: C

"C" is the right answer as in the statement it is written "NOT" which will revert the allow condition. "Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU".