What should the DevOps engineer do next to meet the requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company’s developers use Amazon EC2 instances as remote workstations.The company is concerned that users can create or modify EC2 security groups to allow unrestricted inbound access.A DevOps engineer needs to develop a solution to detect when users create unrestricted security group rules.The solution must detect changes to security group rules in near real time, remove unrestricted rules, and send email notifications to the security team.The DevOps engineer has created an AWS Lambda function that checks for security group ID from input, removes rules that grant unrestricted access, and sends notifications through Amazon Simple Notification Service (Amazon SNS).

What should the DevOps engineer do next to meet the requirements?

Configure the Lambda function to be invoked by the SNS topic. Create an AWS CloudTrail subscription for the SNS topic. Configure a subscription filter for security group modification events.

Create an Amazon EventBridge scheduled rule to invoke the Lambda function. Define a schedule pattern that runs the Lambda function every hour.

Create an Amazon EventBridge event rule that has the default event bus as the source. Define the rule’s event pattern to match EC2 security group creation and modification events. Configure the rule to invoke the Lambda function.

Create an Amazon EventBridge custom event bus that subscribes to events from all AWS services. Configure the Lambda function to be invoked by the custom event bus.

Explanations:

While using SNS can facilitate notifications, configuring a CloudTrail subscription for SNS is not the right approach for detecting security group modifications. CloudTrail records events, but it cannot directly invoke a Lambda function based on SNS notifications. Additionally, the requirement is to respond to changes in near real-time, which this option does not achieve.

Creating a scheduled rule to invoke the Lambda function every hour does not meet the requirement for near real-time detection. This approach introduces delays in identifying and remediating unrestricted security group rules, which goes against the need for timely action upon rule creation or modification.

This option correctly sets up an EventBridge event rule to listen for EC2 security group creation and modification events. When such an event is detected, it will invoke the Lambda function, which can then check for and remove unrestricted rules and send notifications. This approach aligns perfectly with the requirements of near real-time detection and remediation.

While using a custom event bus could allow for a broader range of event capture, it is unnecessary for this specific use case. The default event bus already supports the required EC2 events. This option adds unnecessary complexity and does not provide a more effective solution than option C for the requirements stated.

2025-10-17

1 Comment

  1. Maria
    Author

    I systematize that the answer is:
    Create an Amazon EventBridge event rule that has the default event bus as the source. Define the rule’s event pattern to match EC2 security group creation and modification events. Configure the rule to invoke the Lambda function.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − five =