What should the DevOps engineer do next to meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company uses a single AWS account to test applications on Amazon EC2 instances.The company has turned on AWS Config in the AWS account and has activated the restricted-ssh AWS Config managed rule.The company needs an automated monitoring solution that will provide a customized notification in real time if any security group in the account is not compliant with the restricted-ssh rule.The customized notification must contain the name and ID of the noncompliant security group.A DevOps engineer creates an Amazon Simple Notification Service (Amazon SNS) topic in the account and subscribes the appropriate personnel to the topic.

What should the DevOps engineer do next to meet these requirements?

Create an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish a notification to the SNS topic.

Configure AWS Config to send all evaluation results for the restricted-ssh rule to the SNS topic. Configure a filter policy on the SNS topic to send only notifications that contain the text of NON_COMPLIANT in the notification to subscribers.

Create an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure the EventBridge rule to invoke AWS Systems Manager Run Command on the SNS topic to customize a notification and to publish the notification to the SNS topic.

Create an Amazon EventBridge rule that matches all AWS Config evaluation results of NON_COMPLIANT. Configure an input transformer for the restricted-ssh rule. Configure the EventBridge rule to publish a notification to the SNS topic.

Explanations:

This option correctly creates an EventBridge rule that matches the NON_COMPLIANT evaluation results specifically for the restricted-ssh rule. The input transformer allows for customization of the message content, ensuring that the notification includes the name and ID of the noncompliant security group before publishing to the SNS topic.

This option suggests configuring AWS Config to send all evaluation results directly to the SNS topic. However, it does not provide a way to customize the notification or filter for only the NON_COMPLIANT results, which is necessary to meet the requirement of including specific details about the noncompliant security group.

This option creates an EventBridge rule but incorrectly involves invoking AWS Systems Manager Run Command, which is not necessary for simply publishing a notification. The requirement is to send a customized notification directly to the SNS topic based on the evaluation result, not to execute a command.

While this option creates an EventBridge rule for all NON_COMPLIANT evaluation results, it does not specify that it should filter for the restricted-ssh rule. The lack of an input transformer to customize the message also means it would not provide the necessary details about the noncompliant security group.

2025-10-11

1 Comment

  1. Teresa
    Author

    I rank that the answer is:
    Create an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish a notification to the SNS topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × 2 =