AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 302

During a security audit, a company discovered that some security groups allow SSH traffic from 0.0.0.0/0. A security team must implement a solution to detect and remediate this issue as soon as possible. The company uses one organization in AWS Organizations to manage all the company's AWS accounts.

Which solution will meet these requirements?

Answer options

• A. Enable AWS Config for all AWS accounts. Use a periodic trigger to activate the vpe-sg-port-restriction-check AWS Config rule. Create an AWS Lambda function to remediate any noncompliant rules.
• B. Create an AWS Lambda function in each AWS account to delete all the security group rules. Create an Amazon EventBridge rule to match security group update events or creation events. Set the Lambda function in each account as a target for the rule.
• C. Enable AWS Config for all AWS accounts. Create a custom AWS Config rule to run on the restricted-ssh configuration change trigger. Configure the rule to invoke an AWS Lambda function to remediate any noncompliant resources.
• D. Create an AWS Systems Manager Automation document in each account to inspect all security groups and to delete noncompliant rules. Use an Amazon EventBridge rule to run the Automation document every hour.

Correct answer: C

Explanation

Option C is correct because AWS Config supports configuration-change triggers, allowing the system to detect security group modifications in near real-time and immediately invoke an AWS Lambda function to remediate the restricted-ssh violation. Option A is incorrect because the vpe-sg-port-restriction-check rule is designed for VPC endpoints, and periodic triggers do not detect violations as quickly as configuration-change triggers. Options B and D are incorrect because deleting all security group rules is too destructive, and hourly polling via Systems Manager does not meet the requirement for rapid detection and remediation.