Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 42 discussion

A is right. The Config rule restricted-ssh will not check the ingress rule that use the CIDR other than 0.0.0.0/0 and not notify anyone.

I'm going to have to go with A on this one: https://aws.plainenglish.io/detecting-modifications-to-aws-ec2-security-groups-2ef8989a3350 https://repost.aws/knowledge-center/monitor-security-group-changes-ec2

The key point here is "allow SSH access from any IP address" which is exactly "the restricted-ssh managed rule", said that, it's C

Very, very, very hard question. I think the key point here is the ANY, based on that, it's C

A would be right if the "ANY" word describing all IPs (0.0.0.0/0) wasn't there. CloudTrail will notify you for any SG rule change.

Option C (Incorrect): AWS Config rules are good for ongoing compliance checks, but they don't provide real-time notifications for changes. Config rules run periodically, which could result in a delay between the change and the notification. The automatic remediation aspect is not required in this scenario and could potentially interfere with legitimate changes. Hence, it is Option A.

A: Would send a message to SNS for every change, so not only SSH but all other ports/services. This would be too much. I do get the other comments that C would only notify for 0.0.0.0/0 but I think that is what the question is trying to state with "any IP".

C is the answer : https://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html

keywords: Inbound SSH access C restricted for SSH port (22) only from ANY address

A! "AWS Config provides rules such as restricted-ssh that can be used to detect Security Groups that have SSH access open for any IP".

A is right

I think keyword for C must be "ALL". ANY means when new IP is added to security group, so SNS will be triggered

C makes way more sense from the way AWS wants us to do it

i vote for c

A. This is the correct solution because it leverages Amazon EventBridge to monitor for changes to the security group rules, specifically the AuthorizeSecurityGroupIngress event, which indicates that the security group rules have been modified to allow SSH access from any IP address. By creating an EventBridge rule with the appropriate event pattern and defining an Amazon SNS topic as the target, the DevOps engineer can ensure that the security team receives a notification whenever the security group rules are modified in an undesirable way.

Answer is C The restricted-ssh managed rule in AWS Config helps ensure your bastion host security groups are locked down for SSH access. It specifically checks if incoming SSH traffic is accessible for the security groups. The rule is considered COMPLIANT if: SSH access is not open to the public (meaning the rule doesn't find a security group allowing 0.0.0.0/0 for port 22). SSH access is restricted to specific IP addresses or security groups using CIDR notation (e.g., 10.0.0.0/16). If the rule detects a security group allowing SSH access from anywhere (0.0.0.0/0), it triggers a NON_COMPLIANT status.

restricted-ssh : The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT. https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html That addresses exactly the requirement !