Free Preparation Discussions
MENU
Amazon SOA-C03 Exam - Topic 4 Question 10 Discussion
Topic #: 4
A company runs applications on Amazon EC2 instances. The company wants to ensure that SSH ports on the EC2 instances are never open. The company has enabled AWS Config and has set up the restricted-ssh AWS managed rule.
A CloudOps engineer must implement a solution to remediate SSH port access for noncompliant security groups.
What should the engineer do to meet this requirement with the MOST operational efficiency?
The AWS Cloud Operations and Governance documentation specifies that AWS Config can be paired with AWS Systems Manager Automation runbooks for automatic remediation of noncompliant resources.
For SSH restrictions, the restricted-ssh managed rule detects any security group allowing inbound traffic on port 22. To automatically remediate these findings, AWS provides the AWS-DisableIncomingSSHOnPort22 runbook. This runbook programmatically removes inbound rules that allow port 22 traffic from affected security groups.
This approach achieves continuous compliance with minimal human intervention. By contrast, sending notifications (Option A) does not enforce remediation, API-based scripts (Option C) add operational overhead, and manual remediation (Option D) violates automation best practices.
Therefore, the most efficient CloudOps solution is Option B, using AWS Config with the AWS-DisableIncomingSSHOnPort22 automation runbook for automatic, scalable enforcement.
Patrick
24 days agoIsidra
29 days agoKenneth
1 month agoAlba
1 month agoVirgina
1 month agoJudy
2 months agoSocorro
2 months agoDelmy
2 months agoTammara
2 months agoJustine
2 months agoParis
3 months agoFanny
3 months ago