What should a DevOps engineer do to meet this requirement?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
Enable Amazon GuardDuty and check the findings for security group in AWS Security Hub. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern that matches GuardDuty events with an output of NON_COMPLIANT. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures-1.1 rules package to check the security groups that are associated with the bastion hosts. Configure Amazon Inspector to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
Explanations:
While creating an Amazon EventBridge rule to monitor AWS CloudTrail events is a valid approach, it does not specifically enforce the restriction. It would notify on any modification of security group rules but might not be immediate enough or specific to unrestricted SSH access. Additionally, it does not use AWS Config, which is better suited for compliance and rules management.
Amazon GuardDuty is primarily used for threat detection and not specifically for monitoring compliance of security group rules. While you can get findings related to security, it does not directly address the requirement to notify on specific rule changes regarding SSH access. This method is more reactive rather than proactive in ensuring security compliance.
AWS Config rules allow for monitoring and evaluating the configuration of AWS resources. The managed rule for restricted SSH checks whether security groups allow unrestricted incoming SSH traffic. This setup enables proactive monitoring and can trigger notifications via Amazon SNS for any non-compliance, meeting the requirement effectively.
Amazon Inspector is focused on assessing the security of applications rather than monitoring AWS resource configurations like security groups. Although it helps identify vulnerabilities, it is not specifically designed to alert on changes to security group rules and does not provide the required notification system for specific configuration changes related to SSH access.
I reckon the answer is:
Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.