What should the solutions architect do to meet these requirements with the LEAST operational overhead?
Write an AWS Lambda script that monitors security groups for SSH being open to 0.0.0.0/0 addresses and creates a notification every time it finds one.
Enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification Service (Amazon SNS) notification when a noncompliant rule is created.
Create an IAM role with permissions to globally open security groups and network ACLs. Create an Amazon Simple Notification Service (Amazon SNS) topic to generate a notification every time the role is assumed by a user.
Configure a service control policy (SCP) that prevents non-administrative users from creating or editing security groups. Create a notification in the ticketing system when a user requests a rule that needs administrator permissions.
Explanations:
This approach involves writing custom AWS Lambda code to monitor security groups, which introduces operational overhead in terms of code maintenance and potential failure points. This is not the least operationally intensive solution.
The restricted-ssh AWS Config managed rule automatically detects security groups with SSH open to 0.0.0.0/0 and can trigger an Amazon SNS notification. This solution is fully managed, requires minimal setup, and automates compliance monitoring with minimal operational overhead.
Creating an IAM role with permissions to open security groups does not directly address the compliance requirement of detecting SSH access to 0.0.0.0/0. Moreover, this option doesn’t automate the monitoring or notification process for breaches in security group settings.
Service control policies (SCPs) restrict permissions for non-administrative users but do not address monitoring or notifying when SSH is open to 0.0.0.0/0. This option is focused on controlling permissions, not detecting or notifying on security group settings.
I infer that the answer is:
Enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification Service (Amazon SNS) notification when a noncompliant rule is created.
I believe the answer is:
Enable the restricted-ssh AWS Config managed rule and generate an Amazon Simple Notification Service (Amazon SNS) notification when a noncompliant rule is created.