ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 282 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 282
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.
Which solution meets these requirements with the MOST operational efficiency?

  • A. Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification is there are any violations for unrestricted incoming SSH traffic.
  • B. Use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not compliant. Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
  • C. Configure VPC Flow Logs for the VPC, and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
  • D. Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification is there are any violations for unrestricted incoming SSH traffic.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by dumma at Aug. 26, 2021, 12:34 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Igloo
Highly Voted 3 years, 9 months ago
Answer: B Both A and B would work but B in simpler and the question asks for a solution with MOST operational efficiency (nb simple)
upvoted 26 times
1awssec
3 years, 8 months ago
+ A is NOT "near-real-time" requirement
upvoted 6 times
...
kujin
2 years, 2 months ago
https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html Trigger type: Configuration changes restricted-ssh managed rule is evaluated with configuration change triggered evaluation mode (not periodic triggered evaluation mode)
upvoted 1 times
...
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: B
Cannot be anything but B.
upvoted 1 times
...
Raphaello
1 year, 4 months ago
Selected Answer: B
It can't be anything but B!
upvoted 1 times
...
Toptip
2 years, 1 month ago
Selected Answer: B
Both B and C solutions work. but i prefer B over C because it's less complex and less operational overhead
upvoted 1 times
...
Saad_1
2 years, 2 months ago
https://aws.amazon.com/blogs/security/how-to-monitor-and-visualize-failed-ssh-access-attempts-to-amazon-ec2-linux-instances/ Should be C, since it is real time monitoring.
upvoted 1 times
kujin
2 years, 2 months ago
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html After you create a flow log, it can take several minutes to begin collecting and publishing data to the chosen destinations. Flow logs do not capture real-time log streams for your network interfaces.
upvoted 1 times
...
...
ninera
2 years, 5 months ago
Ans: B A:AWS Config: delivered in 6-hour intervals, as configuration history files. details about the resources that changed in that 6-hour, B: Inspector: Automated discovery and continual scanning that delivers near real-time vulnerability findings
upvoted 1 times
ninera
2 years, 5 months ago
I meant A!!!!
upvoted 1 times
...
...
Smartphone
2 years, 5 months ago
For the managed rule, aws config service does not provide any delay.... AWS Config can be used to provide real time solution... Why B could not be the correct option becuase in the option B it is written "Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic". AWS config remediation feature is basically used to remediate the change and it is not for publishing a message to AWS SNS topics. Should I expect a delay in reporting evaluation results for a managed rule with configuration changes? Any managed ruled affected by this change will be updated. You should not experience any delay in reporting evaluation results for a managed rule with configuration changes. https://docs.aws.amazon.com/config/latest/developerguide/faq.html#faq-4
upvoted 1 times
...
examhamster
2 years, 5 months ago
Answer: B Not only can AWS Config monitor and detect deviations from desired configurations, but it can also be used together with other services, such as AWS Systems Manager, to automatically remediate such deviations when they are detected. These remediation actions are declared in Systems Manager automation documents, which are invoked by AWS Config when a resource is found to be noncompliant. This turns AWS Config into not only a detection mechanism, but also a near-real-time automated response one. https://aws.amazon.com/tw/blogs/mt/implement-aws-config-rule-remediation-with-systems-manager-change-manager/
upvoted 1 times
...
sakibmas
2 years, 6 months ago
Selected Answer: C
near-real-time - cloudwatch reference: https://aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to-your-amazon-vpc-security-groups/
upvoted 3 times
...
D2
2 years, 7 months ago
Answer C Config is not real time ( within 24 hours). Inspector - we need to schedule (again, not real time). Only option C is real time
upvoted 1 times
...
dcasabona
2 years, 11 months ago
Selected Answer: B
I go on B, much simpler and it will work.
upvoted 1 times
...
francisco_guerra
2 years, 12 months ago
two methods one is near-real-time https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/ and Network Reachability package makes apply to SG https://docs.aws.amazon.com/inspector/v1/userguide/inspector_network-reachability.html Ans: A
upvoted 2 times
...
sapien45
2 years, 12 months ago
Selected Answer: B
restricted-ssh PDF RSS Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4. Identifier: INCOMING_SSH_DISABLED Trigger type: Configuration changes
upvoted 1 times
...
Alexey79
3 years, 2 months ago
Selected Answer: A
“design a system for near-real-time monitoring and alerting” A: https://aws.amazon.com/inspector/faqs/ “ Automated discovery and continual scanning that delivers near real-time vulnerability findings. “ Why NOT B: https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/ “ Changes to the security group’s configuration are reported during the next Config compliance evaluation, typically within 10 minutes. “
upvoted 1 times
...
DingjieDanielYang
3 years, 4 months ago
Selected Answer: B
One Key usage of AWS Config is to monitor SG changes
upvoted 1 times
...
lotfi50
3 years, 4 months ago
Selected Answer: B
Answer is B
upvoted 2 times
...
AliS2020
3 years, 5 months ago
Should be B AWS Config allows you to remediate noncompliant resources that are evaluated by AWS Config Rules. AWS Config applies remediation using AWS Systems Manager Automation documents. These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config Rules. You can associate SSM documents by using AWS Management Console or by using APIs. AWS Config provides a set of managed automation documents with remediation actions. You can also create and associate custom automation documents with AWS Config rules. As it does give you an option to Setting Up Auto Remediation (Console) https://docs.aws.amazon.com/config/latest/developerguide/remediation.html#setup-autoremediation
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel