What should the sysops administrator do to meet these requirements?
Create an IAM managed policy to deny access to ports 22 and 3389 on any security groups in a VPC.
Define an AWS Config rule and remediation action with AWS Systems Manager automation documents.
Enable AWS Trusted Advisor to remediate public port access.
Use AWS Systems Manager configuration compliance to remediate public port access.
Explanations:
Creating an IAM managed policy to deny access to ports 22 and 3389 on any security groups does not directly remediate the security groups themselves. IAM policies control permissions for users and services but do not modify security group configurations. Thus, it does not address the immediate threat posed by the open ports.
Defining an AWS Config rule and remediation action with AWS Systems Manager automation documents is an effective solution. AWS Config can monitor the security groups and automatically apply the necessary changes through Systems Manager automation to close ports 22 and 3389, thereby remediating the threat in an automated fashion.
Enabling AWS Trusted Advisor provides recommendations for improving your AWS environment but does not automatically remediate issues. Trusted Advisor can alert you about security best practices, such as open ports, but does not take action on your behalf to close those ports.
While AWS Systems Manager configuration compliance can help manage configurations, it does not specifically address the issue of open ports in security groups directly. It is more focused on ensuring compliance with predefined configurations rather than actively remediating security group settings.
As I understand it, the answer is:
Define an AWS Config rule and remediation action with AWS Systems Manager automation documents.