Which solution will meet these requirements?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a security group changes. Configure the Lambda function to evaluate the security group for compliance, remove all inbound security group rules on all ports, and notify the SysOps team if the security group is noncompliant.
Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm to notify the SysOps team through an Amazon Simple Notification Service (Amazon SNS) topic when the metric is greater than 0. Subscribe an AWS Lambda function to the SNS topic to remediate the security group rule by removing the rule.
Activate the AWS Config restricted-ssh managed rule. Add automatic remediation to the AWS Config rule by using the AWS Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.
Create an AWS CloudTrail metric filter for security group changes. Create an Amazon CloudWatch alarm for when the metric is greater than 0. Add an AWS Systems Manager action to the CloudWatch alarm to suspend the security group by using the Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook when the alarm is in ALARM state. Add an Amazon Simple Notification Service (Amazon SNS) topic as a second target to notify the SysOps team.
Explanations:
While EventBridge can trigger Lambda when security groups change, the Lambda function in this option removesallinbound security group rules, which is overly broad and would potentially disrupt legitimate security group configurations. Additionally, it does not provide automatic remediation specific to SSH rules or notify the SysOps team effectively.
CloudTrail and CloudWatch alarms can detect changes, but this solution lacks a precise mechanism to identify violations of the SSH rule specifically. Moreover, automatically removing rules might not be the best remediation strategy, as it doesn’t target the specific noncompliant rule (e.g., SSH from all IPs) or ensure the proper handling of other valid security group settings.
AWS Config provides a managed rule for restricted SSH access, which is specifically designed for this use case. It can automatically remediate noncompliance using the AWS-DisablePublicAccessForSecurityGroup runbook, and EventBridge can notify the SysOps team of any violations. This solution addresses the requirement effectively and automates both compliance checks and remediation.
While this solution uses CloudTrail, CloudWatch, and Systems Manager for remediation, it relies on a manual suspension of security groups using Systems Manager, which is not as specific as the automatic remediation provided by AWS Config. It also does not focus on the precise violation related to SSH access, potentially leading to over- or under-remediation.
I outline that the answer is:
Activate the AWS Config restricted-ssh managed rule. Add automatic remediation to the AWS Config rule by using the AWS Systems Manager Automation AWS-DisablePublicAccessForSecurityGroup runbook. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the SysOps team when the rule is noncompliant.