AWS Compliance: Notifying Admin for Unrestricted SSH Access | Cloud Practitioner Exam

Achieving Compliance Requirement for Immediate Admin Notification

Question

I have a compliance requirement for my application, stating that unrestricted SSH access to anyEC2 instance needs to be immediately notified to an admin.

Which services can I use to achieve the requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: D.

Both AWS Inspector & AWS Config can scan EC2 instances, access their network exposure, and then integrate with Amazon SNS to send notifications.

Trusted Advisor also can check for overly permissive access of EC2 instances.

Still, the notifications can be performed by monitoring the Trusted Advisor check results with AWS CloudWatch events that can use specific targets like Lambda, SNS etc.

Option A is incorrect.

Trusted Advisor results cannot be directly configured with SNS.

They need to be monitored using CloudWatch events.

Option B is incorrect.

For the given scenario, both AWS Config & AWS Inspector can be configured to send notifications to SNS when a compliance breach is observed.

Option C is incorrect.

The same explanation is given in Option.

B.Option D is CORRECT.

The Network Reachability rules package recently released for AWS Inspector helps analyze Amazon VPC network configuration to determine whether an EC2 instance can be reached from external networks like the Internet.

It does it by analyzing network configurations like Security Groups, NACL's, Route tables etc...The assessment that is run, its security findings can be published to an SNS topic.

AWS Config's Configuration Streams can be configured with resources like Amazon SNS.

Within AWS Config, you can configure Managed rules or Custom rules that can detect compliance violations & use the configuration stream for sending notifications.

Diagrams:

References:

https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/ https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/ https://aws.amazon.com/blogs/aws/trusted-advisor-console-basic/ https://docs.aws.amazon.com/awssupport/latest/user/cloudwatch-events-ta.html
p

Le
“eee Final Stage-
‘~_ Launch Lambda
AWS
CodePipeline

InspectorScanOutputEC2
Or Artifacts

Amazon
EC2

Amazon
Inspector

RemediateTerminateOrStop

The correct answer is option D. Both AWS Inspector and AWS Config can be used in combination with Amazon SNS to achieve the compliance requirement of immediate notification to an admin when unrestricted SSH access is granted to any EC2 instance.

Here is an explanation of each service and how they can be used to meet the requirement:

  1. AWS Inspector: It is a service that automatically assesses applications for vulnerabilities or deviations from best practices. It provides security assessments that help you test your applications and infrastructure for security issues. You can use AWS Inspector to set up rules packages that detect when SSH access is unrestricted to an EC2 instance. When a violation of the rule package is detected, Inspector generates a finding and sends it to AWS Config.

  2. AWS Config: It is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records the configurations of your resources, and provides you with a detailed inventory of the resources in your account, as well as the relationships between them. You can use AWS Config to create a rule that triggers an SNS notification whenever a new EC2 instance is launched with unrestricted SSH access.

  3. Amazon SNS: It is a fully managed notification service that lets you send messages or notifications from your applications or services to multiple recipients. You can use SNS to send an email or SMS message to an admin when a violation is detected by Inspector or AWS Config.

Therefore, using AWS Inspector and AWS Config in combination with Amazon SNS, you can achieve the compliance requirement of immediately notifying an admin when unrestricted SSH access is granted to any EC2 instance.