Topic 1 Question 308
During a security audit, a company discovered that some security groups allow SSH traffic from 0.0.0.0/0. A security team must implement a solution to detect and remediate this issue as soon as possible. The company uses one organization in AWS Organizations to manage all the company's AWS accounts.
Which solution will meet these requirements?
Enable AWS Config for all AWS accounts. Use a periodic trigger to activate the vpe-sg-port-restriction-check AWS Config rule. Create an AWS Lambda function to remediate any noncompliant rules.
Create an AWS Lambda function in each AWS account to delete all the security group rules. Create an Amazon EventBridge rule to match security group update events or creation events. Set the Lambda function in each account as a target for the rule.
Enable AWS Config for all AWS accounts. Create a custom AWS Config rule to run on the restricted-ssh configuration change trigger. Configure the rule to invoke an AWS Lambda function to remediate any noncompliant resources.
Create an AWS Systems Manager Automation document in each account to inspect all security groups and to delete noncompliant rules. Use an Amazon EventBridge rule to run the Automation document every hour.
ユーザの投票
コメント(2)
C why not A:
The vpe-sg-port-restriction-check AWS Config rule is not specific to this use case. The periodic trigger does not provide real-time detection, potentially delaying remediation.
👍 4phu02982024/11/19- 正解だと思う選択肢: C
This option involves enabling AWS Config across all accounts, deploying the restricted-ssh rule, and setting up automatic remediation to address non-compliant security groups, thereby meeting the requirements efficiently.
👍 4Slays2024/12/15
シャッフルモード