AWS Certified Solutions Architect – Professional (SAP-C02) — Question 42

A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is configured in each account. All accounts belong to either the Prod OU or the NonProd OU.

The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The company’s security team is subscribed to the SNS topic.

For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source.

Which solution will meet this requirement with the LEAST operational overhead?

Answer options

• A. Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic. Deploy the updated rule to the NonProd OU.
• B. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.
• C. Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU.
• D. Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.

Correct answer: D

Explanation

The correct answer is D because implementing an SCP to deny the action when the source IP is 0.0.0.0/0 effectively prevents any such rules from being created without needing additional monitoring or remediation steps. Option A involves more complexity and operational overhead by requiring a Lambda function. Option B, while useful for monitoring, does not enforce the required restriction. Option C would allow certain exceptions, which does not fully meet the requirement to eliminate the rule creation.