What should the DevOps engineer do next to meet these requirements?

By:
On:
In: DOP-C01
Tagged:
With: 0 Comments
A company uses a single AWS account to test applications on Amazon EC2 instances.The company has turned on AWS Config in the AWS account and has activated the restricted-ssh AWS Config managed rule.The company needs an automated monitoring solution that will provide a customized notification in real time if any security group in the account is not compliant with the restricted-ssh rule.The customized notification must contain the name and ID of the noncompliant security group.A DevOps engineer creates an Amazon Simple Notification Service (Amazon SNS) topic in the account and subscribes the appropriate personnel to the topic.

What should the DevOps engineer do next to meet these requirements?

Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge (CloudWatch Events) rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic.

Configure AWS Config to send all evaluation results for the restricted-ssh rule to the SNS topic. Configure a filter policy on the SNS topic to send only notifications that contain the text of NON_COMPLIANT in the notification to subscribers.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure the EventBridge (CloudWatch Events) rule to invoke AWS Systems Manager Run Command on the SNS topic to customize a notification and to publish the notification to the SNS topic.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches all AWS Config evaluation results of NON_COMPLIANT. Configure an input transformer for the restricted-ssh rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic.

Explanations:

This option creates an EventBridge rule to match AWS Config evaluation results of NON_COMPLIANT for the restricted-ssh rule. The input transformer allows the customization of the message, including the name and ID of the noncompliant security group. This ensures the notification is tailored and sent to the SNS topic.

This option suggests configuring AWS Config to send evaluation results directly to the SNS topic. However, AWS Config cannot directly send the results of the restricted-ssh rule to an SNS topic. This does not provide the required customization and filtering of noncompliant security groups.

While this option creates an EventBridge rule for NON_COMPLIANT evaluations, invoking AWS Systems Manager Run Command to customize the notification is unnecessary. AWS EventBridge alone can handle the customization without invoking Run Command.

This option incorrectly applies the EventBridge rule to all AWS Config evaluations of NON_COMPLIANT, not specifically for the restricted-ssh rule. Additionally, it lacks an input transformer for customizing the message to include details such as the name and ID of the noncompliant security group.

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen + 18 =