What should a SysOps administrator do to meet this requirement?
Configure Amazon GuardDuty to scan security groups and report unrestricted access on port 3389.
Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389.
Use AWS Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389.
Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389.
Explanations:
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, but it does not specifically scan or report on security groups or their configurations regarding unrestricted access on port 3389.
Service Control Policies (SCPs) are used to manage permissions for AWS Organizations and do not have the capability to directly identify or report on specific security groups and their open ports. They are not suited for this specific task.
AWS Identity and Access Management (IAM) Access Analyzer is designed to analyze policies and permissions, but it does not focus specifically on network configurations such as security groups or ports, making it unsuitable for identifying unrestricted access on port 3389.
AWS Trusted Advisor includes a “Security” category that specifically checks for security groups with unrestricted access to critical ports, including port 3389, allowing administrators to easily identify potential vulnerabilities in their security group settings.
I organize that the answer is:
Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389.