AWS Certified SysOps Administrator – Associate (legacy) — Question 881

The Security team has decided that there will be no public internet access to HTTP (TCP port 80) because it is moving to HTTPS for all incoming web traffic. The team has asked a SysOps Administrator to provide a report on any security groups that are not compliant.
What should the SysOps Administrator do to provide near real-time compliance reporting?

Answer options

• A. Enable AWS Trusted Advisor and show the Security team that the Security Groups unrestricted access check will alarm.
• B. Schedule an AWS Lambda function to run hourly to scan and evaluate all security groups, and send a report to the Security team.
• C. Use AWS Config to enable the restricted-common-ports rule, and add port 80 to the parameters.
• D. Use Amazon Inspector to evaluate the security groups during scans, and send the completed reports to the Security team.

Correct answer: D

Explanation

Amazon Inspector allows for the assessment of network reachability, including security group configurations, to identify open ports such as TCP port 80 during its automated scans. This provides the security team with detailed, near real-time reports regarding exposure and compliance state. Other solutions, such as hourly AWS Lambda functions or AWS Trusted Advisor, do not provide the same specialized, automated scanning and comprehensive security reporting capabilities for network security groups.