A company wants to monitor the security groups of its Amazon EC2 instances to ensure that SSH is not open to the public. If the port is opened, the company needs to close the port as soon as possible.
Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)
To meet the requirement of monitoring and closing the SSH port, two primary actions should be taken. First, implement an AWS Config rule to detect any security groups that allow SSH. AWS Config continuously monitors and evaluates your AWS resource configurations for compliance with specified settings. Second, use AWS Systems Manager Automation to automatically remediate the issue by closing the port. Systems Manager Automation allows for the automation of common maintenance tasks and can be triggered automatically to ensure the security group's configuration is compliant. This combination ensures continuous monitoring and automated remediation.
Add an AWS Config rule to detect the security groups that allow SSH. By creating a custom AWS Config rule, you can define the desired configuration that checks if SSH ports are open in security groups. This rule will evaluate the current state of the security groups and report any violations. Call an AWS Systems Manager Automation runbook to close the port. Set up an AWS Systems Manager Automation runbook that can be triggered when a violation is detected by the AWS Config rule. The runbook should include the necessary steps to close the SSH port in the affected security groups, ensuring that the port is no longer accessible to the public.
It's B and D
B and D
(AWS Systems Manager Run Command) is a valid Systems Manager feature, but it is more suitable for one-time commands rather than automated remediation based on continuous compliance checks performed by AWS Config. For continuous compliance checks, AWS Config Rules and Automation runbooks are more appropriate.
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network.
B no issues. D and E, choose D as it's using automation to call AWS service. D: Automation, a capability of AWS Systems Manager, simplifies common maintenance, deployment, and remediation tasks for AWS services like Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Simple Storage Service (Amazon S3), and many more. E: Using Run Command, a capability of AWS Systems Manager, you can remotely and securely manage the configuration of your managed nodes. With command documents you are executing commands on your managed instances (i.e. yum update)
BBBBBBBBDDDDDDDDDDD
but how can you trigger ssmm from aws config ?
* Detect SSH port open: A, B, or C? --> AWS Config rule --> B. * Close: D or E? --> automation --> D.
I cant see any pre-defined runbooks that are designed to close a port. that being said this is a simple script. why do we think we are better off not using run command? sure I can create my own automation runbook but I still need to provide a script. makes it a similar overhead to using run command. As this is one off maintenance I personally would use run command. https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html
This scenario is basically what SSM run command was designed for: "Using Run Command, a capability of AWS Systems Manager, you can remotely and securely manage the configuration of your managed nodes. A managed node is any Amazon Elastic Compute Cloud (Amazon EC2) instance or non-EC2 machine in your hybrid and multicloud environment that has been configured for Systems Manager. Run Command allows you to automate common administrative tasks and perform one-time configuration changes at scale. You can use Run Command from the AWS Management Console, the AWS Command Line Interface (AWS CLI), AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost."
I stand corrected.... https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aws-system-manager/#:~:text=Create%20a%20remediation%20action
B and E works for me