Exam AWS DevOps Engineer Professional topic 1 question 74 discussion

I go with c. Between A and C, I select C because A will send an alert on all the Security group changes

Answer is C can use AWS Config rule like `restricted-ssh` to monitor security groups for unrestricted SSH access ensures that any non-compliant changes are detected immediately. its not A because , though Amazon EventBridge can be used to create a rule that triggers on specific events, the AuthorizeSecurityGroupIngress event does not provide information about the contents of the security group rule that was added, so it cannot be used to detect if SSH access from any IP address was allowed.

Can't be A as any change to any port/ip will trigger it

Yes A will trigger event for every security group , Correct answer is C the rule will be non-compliant if cidr is 0.0.0.0 https://docs.aws.amazon.com/config/latest/developerguide/restricted-ssh.html

I vote for A: With option C, the its only recording ipv4 0.0.0.0 what about ipv6 changes https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/ipv6-security-and-monitoring-considerations.html Option C only applies to ipv4 so any security group changes to ipv6 CIDR will not be recorded. (The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

I agree with A after reading https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/ and also interpreting the question as if ANY IP is added, not 0.0.0.0/0 like some suggested.

I think that the core sentence is this - "Inbound SSH access to the bastion hosts is restricted to specific IP addresses". That means that we don't want change the current addresses at all or add additional ones. In other words we must to be notified for ANY IP changes, not only from 0.0.0.0/0.

A for the win.

This sentence is key. "if the security group rules are modified to allow SSH access from any IP address. So I'd choose C. attention to Any IP address. C is "restricted-ssh managed rule" means that you will verify if your security group dont have setup 0.0.0.0/0 CIDR

C is the correct answer. A assumes that CloudTrail trail is created to send Cloudtrail events to CloudWatch logs. The link below defending A is using the event source as EC2 and event type as API call using CloudTrail but the option A talks about directly using CloudTrail as the source which is only possible if a trail is created to send events to CloudWatch Logs.

https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/

Restricted SSH rule seems good fit

Answer is C. If you read the question properly it says change to any IP address which means 0.0.0.0/0 CIDR. So C is the best answer as the config rule will detect changes in the security group from restricted IP CIDR to any IP CIDR.

The wording in the answers are confusing. I'll go with C though. The requirement is "The company's security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address." AWS Config is the right service to look for changes to baseline configurations.

C is not the answer because restricted-ssh checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4.

C is the best option

I go with Choice A REF : https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/