What should a DevOps engineer do to meet this requirement?
Create an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
Enable Amazon GuardDuty and check the findings for security groups in AWS Security Hub. Configure an Amazon EventBridge rule with a custom pattern that matches GuardDuty events with an output of NON_COMPLIANT. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures-1.1 rules package to check the security groups that are associated with the bastion hosts. Configure Amazon Inspector to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Explanations:
EventBridge rule with the specified event name will trigger for any changes to the security group, but it won’t specifically monitor for unrestricted SSH access from any IP. Additional filtering logic is needed.
GuardDuty primarily monitors for malicious activity and unauthorized behavior, not for compliance with specific security group configurations. Using AWS Security Hub here is also unnecessary for this requirement.
AWS Config provides a managed rule (restricted-ssh) specifically designed to detect unrestricted incoming SSH access. When this rule is triggered, it can automatically publish a message to SNS, meeting the requirement effectively.
Amazon Inspector is intended for finding vulnerabilities and does not monitor security group configurations or changes. Using it here is not appropriate for the stated requirement.