AWS Certified SysOps Administrator – Associate (legacy) — Question 613

A security audit revealed that the security groups in a VPC have ports 22 and 3389 open to all, introducing a possible threat that instances can be stopped or configurations can be modified. A sysops administrator needs to automate remediation.
What should the sysops administrator do to meet these requirements?

Answer options

• A. Create an IAM managed policy to deny access to ports 22 and 3389 on any security groups in a VPC.
• B. Define an AWS Config rule and remediation action with AWS Systems Manager automation documents.
• C. Enable AWS Trusted Advisor to remediate public port access.
• D. Use AWS Systems Manager configuration compliance to remediate public port access.

Correct answer: B

Explanation

AWS Config can continuously monitor resources for compliance violations, such as unrestricted SSH/RDP access, and trigger automatic remediation using AWS Systems Manager Automation documents. IAM policies manage API permissions rather than network-level traffic, making Option A incorrect. AWS Trusted Advisor and Systems Manager configuration compliance identify issues but do not natively provide automated remediation for security group rule configurations.