DOP-C02 Question #354: Real Exam Question with Answer & Explanation

Question

A security team must record the configuration of AWS resources, detect issues, and send notifications for findings. The main workload in the AWS account consists of an Amazon EC2 Auto Scaling group that scales in and out several times during the day. The team wants to be notified within 2 days if any Amazon EC2 security group allows traffic on port 22 for 0.0.0.0/0. The team also needs a snapshot of the configuration of the AWS resources to be taken routinely. The security team has already created and subscribed to an Amazon Simple Notification Service (Amazon SNS) topic. Which solution meets these requirements?

Options

• AConfigure AWS Config to use periodic recording for the AWS account. Deploy the vpc-sg-port-
• BConfigure AWS Config to use configuration change recording for the AWS account. Deploy the
• CConfigure AWS Config to use configuration change recording for the AWS account. Deploy the
• DCreate an AWS Lambda function to evaluate security groups and publish a message to the SNS

Explanation

Periodic recording with AWS Config ensures that resource configurations are recorded routinely, capturing snapshots of the AWS resources as requested by the security team. The vpc-sg-port-restriction-check AWS Config managed rule is specifically designed to detect when security groups allow unrestricted access on certain ports, such as port 22 (SSH) for 0.0.0.0/0, meeting the security team's requirement to detect and notify on such configurations. By configuring AWS Config to use the existing SNS topic for notifications, the team will be notified within the required timeframe if any issues are detected.

No community discussion yet for this question.