AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 72

A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.

A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediates noncompliant changes to security groups.

Which solution will meet these requirements?

Answer options

• A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
• B. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
• C. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
• D. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.

Correct answer: D

Explanation

The correct answer is D because AWS Config can continuously monitor and assess the compliance of security group configurations against desired settings, and using an AWS Systems Manager Automation runbook allows for automated remediation of any noncompliance. Option A is incorrect as it suggests using GuardDuty, which is not designed for remediation. Option B misuses AWS OpsWorks instead of Systems Manager for remediation, and option C also incorrectly uses GuardDuty for this purpose.