AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct approach is to use AWS Config with a managed rule and an AWS Systems Manager (SSM) Automation document for remediation. AWS Config is the primary service for assessing and auditing the configurations of AWS resources. The restricted-ssh managed rule is specifically designed to detect when a security group allows unrestricted incoming traffic to port 22. By configuring this rule with an automatic remediation action that invokes the AWS-DisablePublicAccessForSecurityGroup SSM Automation document, the system can automatically detect and revert the non-compliant change without custom code. This solution is highly scalable, manageable across an entire AWS Organization using AWS Config aggregators and conformance packs, and aligns with the principle of using managed services for common tasks.

• Using Amazon GuardDuty is incorrect because GuardDuty is a threat detection service, not a configuration compliance service. It analyzes logs for malicious activity (e.g., an actual brute-force attack on an open port) rather than detecting the configuration state of the port itself.
• Using Amazon Inspector is incorrect because it is a vulnerability scanning service that identifies software vulnerabilities and network exposure on a scheduled basis. It does not provide real-time detection of configuration changes, which is a key requirement for immediate remediation.
• Using an EventBridge rule with a custom Lambda function to parse CloudTrail logs is a viable but less optimal solution. This approach requires writing and maintaining custom code to perform the detection and remediation logic. The AWS Config and SSM solution provides a fully managed, code-free alternative that is more robust and easier to maintain at scale, making it the superior choice.