Which solution meets these requirements with the MOST operational efficiency?
Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification is there are any violations for unrestricted incoming SSH traffic.
Use the restricted-ssh AWS Config managed rule that is invoked by security group configuration changes that are not compliant. Use the AWS Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Configure VPC Flow Logs for the VPC, and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an AWS Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).
Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an AWS Lambda function when an assessment rum starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification is there are any violations for unrestricted incoming SSH traffic.
Explanations:
While this option involves using Amazon Inspector to assess security group violations, it runs daily assessments and is not truly near-real-time. The Lambda function only processes the report after the assessment is complete, leading to potential delays in notifications.
This option uses the restricted-ssh AWS Config managed rule that is triggered by changes to security group configurations. It allows for near-real-time monitoring and alerts administrators immediately when non-compliant changes occur, making it highly efficient.
This option relies on VPC Flow Logs to monitor traffic and can detect successful SSH connections, but it does not directly monitor security group violations. Additionally, it may generate false positives for legitimate connections, resulting in potential noise in alerts.
Similar to option A, this solution uses Amazon Inspector for periodic assessments, which does not provide near-real-time monitoring. The assessments are conducted daily, and notifications are sent only after the assessments are complete, leading to delays in alerting for security group violations.