AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your organization has already turned on AWS Config recording in every AWS account and created an organization-wide aggregator in a delegated security account. The security engineers must now ensure that any security group that allows inbound SSH (TCP port 22) from 0.0.0.0/0 is detected and automatically remediated by deleting the rule. The solution must be centralized, avoid writing custom application code, and keep a detailed compliance history in AWS Config so that the team can verify every remediation. Which approach satisfies these requirements?
Use AWS Firewall Manager to create a security-group audit and enforcement policy that denies SSH from 0.0.0.0/0 and turn on automatic remediation across all accounts.
Enable Amazon GuardDuty in every member account and add an EventBridge rule in the security account that triggers a Lambda function to revoke any security-group rule that exposes port 22 to the internet.
Create an AWS Config organization managed rule named restricted-ssh and configure automatic remediation that invokes the AWS Systems Manager Automation runbook AWS-DisablePublicAccessForSecurityGroup by assuming a cross-account Automation role.
Activate the AWS Foundational Security Best Practices standard in AWS Security Hub and build a custom action that routes findings to a Step Functions workflow which calls Lambda to delete the non-compliant ingress rule.
Deploying the AWS Config managed rule restricted-ssh as an organization rule gives the security team a single place to evaluate every account for security groups that expose port 22 to the internet. Associating that rule with the AWS Systems Manager Automation runbook AWS-DisablePublicAccessForSecurityGroup and enabling automatic remediation means that, whenever the rule reports NON_COMPLIANT, AWS Config automatically starts the runbook using the AutomationAssumeRole to revoke the offending ingress rule. Both the compliance evaluations and the remediation execution history are stored by AWS Config and surfaced in the existing organization aggregator, meeting the auditing requirement without any custom Lambda or Step Functions code. The GuardDuty, Security Hub, and Firewall Manager-based alternatives either require custom code or record compliance in a different service, so they do not meet all of the stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Systems Manager Automation?
Open an interactive chat with Bash
What is an AWS Config managed rule?
Open an interactive chat with Bash
How does an Organization Config Aggregator work?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access