Question #1793
A solutions architect must enforce a compliance policy that prohibits security groups from allowing RDP access from 0.0.0.0/0. The company requires immediate alerts if a security group violates this rule. The solution must be implemented with the LEAST operational overhead.
What should the solutions architect do to meet these requirements?
Develop an AWS Lambda function to scan security groups for RDP rules allowing 0.0.0.0/0 and trigger an Amazon Simple Notification Service (Amazon SNS) alert when such a rule is detected.
Enable the restricted-rdp AWS Config managed rule and configure an Amazon Simple Notification Service (Amazon SNS) topic to send alerts when noncompliant rules are identified.
Create an IAM policy that denies permissions to modify security group rules for RDP and link it to an Amazon SNS topic to notify administrators of unauthorized change attempts.
Implement a service control policy (SCP) blocking non-administrative users from creating or modifying security groups. Integrate a ticketing system to alert administrators when rule changes are requested.
Explanation
Answer B is correct because AWS Config provides a managed rule called 'restricted-rdp' that automatically checks security groups for RDP access from 0.0.0.0/0. Enabling this rule and linking it to an SNS topic ensures immediate alerts without custom code or infrastructure, aligning with the 'least operational overhead' requirement.
Why other options are incorrect:
- A: Developing a Lambda function introduces operational overhead for coding, deployment, and maintenance.
- C: IAM policies block actions but do not detect existing noncompliant rules or trigger alerts.
- D: SCPs prevent rule changes but do not detect existing violations or provide immediate alerts.
Key Points:
1. AWS Config managed rules automate compliance checks.
2. The 'restricted-rdp' rule specifically targets RDP access from 0.0.0.0/0.
3. SNS integration enables real-time alerts with minimal setup.
Answer
The correct answer is: B