Which combination of actions should a SysOps administrator take to meet these requirements?
(Choose two.)
Add an Amazon CloudWatch alarm to detect the security groups that allow SSH.
Add an AWS Config rule to detect the security groups that allow SSH.
Add an assessment template to Amazon Inspector to detect the security groups that allow SSH.
Call an AWS Systems Manager Automation runbook to close the port.
Call AWS Systems Manager Run Command to close the port.
Explanations:
CloudWatch alarms are useful for monitoring metrics but are not directly suited to detecting changes in security groups or ensuring SSH is open. It would not be a direct method to monitor security groups for SSH access.
AWS Config rules can be used to continuously evaluate the configuration of resources, including security groups, to detect specific settings like SSH being open to the public.
Amazon Inspector is a security assessment service, but it does not specifically monitor or enforce security group rules like allowing SSH. It focuses more on vulnerabilities in applications and operating systems.
AWS Systems Manager Automation runbooks can be used to automate the process of remediating misconfigurations, such as closing open SSH ports in security groups.
AWS Systems Manager Run Command can be used to run commands on EC2 instances, but it cannot directly modify security groups. It is not the right tool to close ports in security groups.
I sort that the answer is:
Add an AWS Config rule to detect the security groups that allow SSH.
I figure that the answer is:
Add an AWS Config rule to detect the security groups that allow SSH.