Which set of actions should the SysOps administrator take to create a solution?
Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.
Create an IAM policy to deny the creation of security groups that have 0.0.0.0/0 as the source address. Attach this IAM policy to every user in the company.
Create an AWS Lambda function to inspect new and existing security groups. Check for a noncompliant 0.0.0.0/0 source address and change the source address to the approved CIDR block.
Create a service control policy (SCP) for the organizational unit (OU) to deny the creation of security groups that have the 0.0.0.0/0 source address. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.
Explanations:
AWS Config can detect noncompliant security groups with custom rules. Automatic remediation can be set up to change the source address to the approved CIDR block, making this a valid solution.
IAM policies control permissions, but they cannot directly modify security groups or their configurations like restricting the source address. Therefore, this does not meet the requirements.
While an AWS Lambda function can be used to inspect and remediate security groups, this approach would require manual setup and scheduling, which is less efficient and less integrated than an AWS Config rule for automated detection and remediation.
Service Control Policies (SCPs) are used to manage AWS Organizations permissions, but they cannot modify resources like security groups. SCPs prevent actions but cannot automatically change configurations.
I opine that the answer is:
Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.