Which set of actions should the SysOps administrator take to create a solution?

By:
In: SOA-C02
Tagged:
With: 2 Comments
A company wants to create an automated solution for all accounts managed by AWS Organizations to detect any security groups that use 0.0.0.0/0 as the source address for inbound traffic.The company also wants to automatically remediate any noncompliant security groups by restricting access to a specific CIDR block that corresponds with the company’s intranet.

Which set of actions should the SysOps administrator take to create a solution?

Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.

Create an IAM policy to deny the creation of security groups that have 0.0.0.0/0 as the source address. Attach this IAM policy to every user in the company.

Create an AWS Lambda function to inspect new and existing security groups. Check for a noncompliant 0.0.0.0/0 source address and change the source address to the approved CIDR block.

Create a service control policy (SCP) for the organizational unit (OU) to deny the creation of security groups that have the 0.0.0.0/0 source address. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.

Explanations:

AWS Config can detect noncompliant security groups with custom rules. Automatic remediation can be set up to change the source address to the approved CIDR block, making this a valid solution.

IAM policies control permissions, but they cannot directly modify security groups or their configurations like restricting the source address. Therefore, this does not meet the requirements.

While an AWS Lambda function can be used to inspect and remediate security groups, this approach would require manual setup and scheduling, which is less efficient and less integrated than an AWS Config rule for automated detection and remediation.

Service Control Policies (SCPs) are used to manage AWS Organizations permissions, but they cannot modify resources like security groups. SCPs prevent actions but cannot automatically change configurations.

2026-03-22

2 Comments

  1. Bryan
    Author

    I opine that the answer is:
    Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.

  2. Lisa
    Author

    It appears that the answer is:
    Create an AWS Config rule to detect noncompliant security groups. Set up automatic remediation to change the 0.0.0.0/0 source address to the approved CIDR block.

Leave a Reply to Lisa Cancel reply

Your email address will not be published. Required fields are marked *

17 − fourteen =