ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 352 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 352
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A company wants to monitor the security groups of its Amazon EC2 instances to ensure that SSH is not open to the public. If the port is opened, the company needs to close the port as soon as possible.

Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)

  • A. Add an Amazon CloudWatch alarm to detect the security groups that allow SSH.
  • B. Add an AWS Config rule to detect the security groups that allow SSH.
  • C. Add an assessment template to Amazon Inspector to detect the security groups that allow SSH.
  • D. Call an AWS Systems Manager Automation runbook to close the port.
  • E. Call AWS Systems Manager Run Command to close the port.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by jas26says at June 23, 2023, 6:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Pete987
Highly Voted 1 year, 10 months ago
Selected Answer: BD
Add an AWS Config rule to detect the security groups that allow SSH. By creating a custom AWS Config rule, you can define the desired configuration that checks if SSH ports are open in security groups. This rule will evaluate the current state of the security groups and report any violations. Call an AWS Systems Manager Automation runbook to close the port. Set up an AWS Systems Manager Automation runbook that can be triggered when a violation is detected by the AWS Config rule. The runbook should include the necessary steps to close the SSH port in the affected security groups, ensuring that the port is no longer accessible to the public.
upvoted 8 times
...
james2033
Most Recent 10 months ago
Selected Answer: BD
* Detect SSH port open: A, B, or C? --> AWS Config rule --> B. * Close: D or E? --> automation --> D.
upvoted 2 times
...
nharaz
1 year, 4 months ago
Selected Answer: BD
(AWS Systems Manager Run Command) is a valid Systems Manager feature, but it is more suitable for one-time commands rather than automated remediation based on continuous compliance checks performed by AWS Config. For continuous compliance checks, AWS Config Rules and Automation runbooks are more appropriate.
upvoted 2 times
...
DeaconStJohn
1 year, 5 months ago
Selected Answer: BE
I cant see any pre-defined runbooks that are designed to close a port. that being said this is a simple script. why do we think we are better off not using run command? sure I can create my own automation runbook but I still need to provide a script. makes it a similar overhead to using run command. As this is one off maintenance I personally would use run command. https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html
upvoted 1 times
DeaconStJohn
1 year, 5 months ago
I stand corrected.... https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aws-system-manager/#:~:text=Create%20a%20remediation%20action
upvoted 1 times
...
DeaconStJohn
1 year, 5 months ago
This scenario is basically what SSM run command was designed for: "Using Run Command, a capability of AWS Systems Manager, you can remotely and securely manage the configuration of your managed nodes. A managed node is any Amazon Elastic Compute Cloud (Amazon EC2) instance or non-EC2 machine in your hybrid and multicloud environment that has been configured for Systems Manager. Run Command allows you to automate common administrative tasks and perform one-time configuration changes at scale. You can use Run Command from the AWS Management Console, the AWS Command Line Interface (AWS CLI), AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost."
upvoted 1 times
...
...
[Removed]
1 year, 9 months ago
Selected Answer: BD
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network.
upvoted 2 times
...
Christina666
1 year, 9 months ago
Selected Answer: BD
B no issues. D and E, choose D as it's using automation to call AWS service. D: Automation, a capability of AWS Systems Manager, simplifies common maintenance, deployment, and remediation tasks for AWS services like Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Simple Storage Service (Amazon S3), and many more. E: Using Run Command, a capability of AWS Systems Manager, you can remotely and securely manage the configuration of your managed nodes. With command documents you are executing commands on your managed instances (i.e. yum update)
upvoted 2 times
...
[Removed]
1 year, 9 months ago
BBBBBBBBDDDDDDDDDDD
upvoted 2 times
kevinguana
1 year, 9 months ago
but how can you trigger ssmm from aws config ?
upvoted 1 times
...
...
TQM__9MD
1 year, 10 months ago
Selected Answer: BD
B and D
upvoted 3 times
...
kevino81
1 year, 10 months ago
Selected Answer: BE
B and E works for me
upvoted 1 times
...
jas26says
1 year, 10 months ago
Selected Answer: BD
It's B and D
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago