AWS Certified DevOps Engineer – Professional — Question 130

A company uses a single AWS account to test applications on Amazon EC2 instances. The company has turned on AWS Config in the AWS account and has activated the restricted-ssh AWS Config managed rule.

The company needs an automated monitoring solution that will provide a customized notification in real time if any security group in the account is not compliant with the restricted-ssh rule. The customized notification must contain the name and ID of the noncompliant security group.

A DevOps engineer creates an Amazon Simple Notification Service (Amazon SNS) topic in the account and subscribes the appropriate personnel to the topic.

What should the DevOps engineer do next to meet these requirements?

Answer options

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge (CloudWatch Events) rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic.
• B. Configure AWS Config to send all evaluation results for the restricted-ssh rule to the SNS topic. Configure a filter policy on the SNS topic to send only notifications that contain the text of NON_COMPLIANT in the notification to subscribers.
• C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure the EventBridge (CloudWatch Events) rule to invoke AWS Systems Manager Run Command on the SNS topic to customize a notification and to publish the notification to the SNS topic.
• D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches all AWS Config evaluation results of NON_COMPLIANT. Configure an input transformer for the restricted-ssh rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic.

Correct answer: A

Explanation

The correct answer is A because it specifically addresses the need for a customized notification by using an input transformer to extract relevant details and publish them to the SNS topic when the restricted-ssh rule is found to be NON_COMPLIANT. Option B fails to customize the notification and relies on a filter policy, which doesn't meet the real-time notification requirement. Option C incorrectly suggests using AWS Systems Manager Run Command, which is not necessary for sending notifications. Option D is too broad, as it would trigger notifications for all NON_COMPLIANT results, not specifically for the restricted-ssh rule.