A solutions architect must implement an automated compliance control that prohibits security group rules allowing SSH from 0.0.0.0/0. The company must be notified when the policy is breached and needs a solution as soon as possible with the least operational overhead. What should the solutions architect do?
Choose an answer
Tap an option to check your answer.
Correct answer: Enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification Service (Amazon SNS) notification when a noncompliant rule is created..
Why this is the answer
The restricted-ssh AWS Config managed rule directly addresses the requirement to prohibit SSH from 0.0.0.0/0 and can automatically trigger notifications via Amazon SNS when a noncompliant resource is detected. This provides an automated, low-overhead solution. Writing a Lambda script (option 1) would achieve the goal but involves more operational overhead for development, testing, and maintenance compared to using a pre-built AWS Config rule. Creating an IAM role and notifying on its assumption (option 3) does not directly prevent or detect non-compliant security group rules; it only tracks role usage. Configuring an SCP (option 4) can prevent users from creating/editing security groups, but it doesn't specifically detect or notify on existing non-compliant rules, nor does it directly address the "SSH from 0.0.0.0/0" condition.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed