SOA-C02 Question #307: Real Exam Question with Answer & Explanation

Question

A company needs to view a list of security groups that are open to the internet on port 3389. What should a SysOps administrator do to meet this requirement?

Options

• AConfigure Amazon GuardDuly to scan security groups and report unrestricted access on port
• BConfigure a service control policy (SCP) to identify security groups that allow unrestricted
• CUse AWS Identity and Access Management Access Analyzer to find any instances that have
• DUse AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389.

Explanation

AWS Trusted Advisor includes a built-in security check called "Security Groups – Unrestricted Access" that specifically identifies security groups allowing unrestricted inbound traffic (0.0.0.0/0 or ::/0) on sensitive ports, including port 3389 (RDP) - making it the direct, purpose-built solution for this requirement.

Why the distractors are wrong:

• A (GuardDuty): GuardDuty is a threat detection service that analyzes logs (CloudTrail, VPC Flow Logs) for malicious activity - it doesn't audit or report on security group configurations.
• B (SCP): Service Control Policies are preventive controls that restrict what actions can be taken in AWS Organizations accounts; they cannot query or report on existing resource configurations.
• C (IAM Access Analyzer): Access Analyzer identifies resources (S3 buckets, IAM roles, KMS keys, etc.) shared with external principals - it does not evaluate security group port rules.

Memory tip: Think of Trusted Advisor as your AWS "security checklist reviewer" - when an exam question asks about finding misconfigured security groups (open ports, unrestricted access), Trusted Advisor is almost always the answer, whereas GuardDuty is for detecting active threats.

No community discussion yet for this question.