AWS Certified SysOps Administrator – Associate — Question 247

A company needs to view a list of security groups that are open to the internet on port 3389.

What should a SysOps administrator do to meet this requirement?

Answer options

• A. Configure Amazon GuardDuty to scan security groups and report unrestricted access on port 3389.
• B. Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389.
• C. Use AWS Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389.
• D. Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389.

Correct answer: D

Explanation

The correct answer is D because AWS Trusted Advisor specifically provides insights into security best practices, including identifying security groups with open access on port 3389. Option A is incorrect as Amazon GuardDuty focuses on detecting threats rather than listing security group configurations. Option B is not suitable because service control policies (SCPs) pertain to managing permissions and do not directly identify security group settings. Option C, while useful for access analysis, does not directly provide a list of security groups like Trusted Advisor does.