The Jeff’s Note (Contextual Hook) #
Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer.
For SOA-C02 candidates, the confusion often lies in choosing the best combination of managed rules and automation tools for security compliance. In production, this is about knowing exactly how to integrate AWS Config with Systems Manager Automation to both detect and auto-remediate noncompliant security groups. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
DataWave Technologies manages cloud infrastructure for global clients and must comply with strict security controls. One compliance mandate prohibits any security groups from allowing SSH (port 22) from broadly opened IP addresses (0.0.0.0/0 or ::/0). The SysOps team needs an automated solution that will immediately notify them when such a risky rule is introduced and automatically remediate it by disabling or removing the insecure rule.
The Requirement: #
Implement a solution that continuously monitors security group rules for SSH exposure, alerts the SysOps team upon violation, and automatically remediates the insecure rules without manual intervention.
The Options #
- A) Create an Amazon EventBridge rule triggered on security group changes, invoke a Lambda function that evaluates compliance, removes all inbound rules from all ports if noncompliant, and notifies the SysOps team.
- B) Create a CloudTrail metric filter for security group changes, use a CloudWatch alarm to notify the SysOps team via SNS when triggered, with a subscribed Lambda function that removes the violating rule.
- C) Activate the AWS Config managed rule
restricted-ssh; configure automatic remediation using the AWS Systems Manager AutomationAWS-DisablePublicAccessForSecurityGrouprunbook; create an EventBridge rule to notify the SysOps team upon noncompliance. - D) Create a CloudTrail metric filter for security group changes, create a CloudWatch alarm that triggers Systems Manager Automation to suspend the security group using the
AWS-DisablePublicAccessForSecurityGrouprunbook and sends an SNS notification to the team.
Google adsense #
leave a comment:
Correct Answer #
C.
Quick Insight: The SysOps Imperative #
The best-practice approach leverages AWS Config’s managed rules to continuously evaluate compliance. Coupled with AWS Systems Manager Automation runbooks for remediation, this delivers a fully managed, scalable, and auditable solution. Using EventBridge for notifications integrates well with existing alerting systems while maintaining clear audit trails.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
Option C is the most robust and AWS-native way to meet the requirement:
- AWS Config managed rule
restricted-ssh: Automatically checks all security groups for permissive SSH rules, conforming to compliance needs without building custom detection logic. - Automatic remediation using Systems Manager Automation runbook
AWS-DisablePublicAccessForSecurityGroup: Automatically removes or modifies noncompliant rules, removing manual intervention and human error. - EventBridge notifications on Config rule violations: Ensures immediate alerts to the SysOps team for visibility and audits.
This leverages fully managed services designed for compliance governance and scalable remediation, ensuring continuous enforcement without building custom Lambda functions from scratch.
The Trap (Distractor Analysis): #
-
Option A: While functional, this uses a custom Lambda triggered on EventBridge rules for any security group modification. It lacks native compliance checks and may be error-prone when manually evaluating/removing rules. The “remove all inbound rules on all ports” is overly aggressive and could break other valid access.
-
Option B: CloudTrail metric filters and CloudWatch alarms can notify on changes but can’t natively evaluate if SSH is opened to all IPs. Using Lambda here means you maintain custom compliance logic, which increases operational overhead and complexity.
-
Option D: Similar to B but suspends entire security groups on alarm—this is more disruptive than needed and risks downtime. Also, CloudTrail metric filters lack granularity for fine compliance evaluation compared to AWS Config.
The Technical Blueprint #
# Activate the AWS Config managed rule for restricted SSH
aws configservice put-config-rule --config-rule file://restricted-ssh-rule.json
# Create automatic remediation association
aws ssm put-remediation-configurations --remediation-configurations file://remediation-config.json
# Sample remediation-config.json snippet:
# {
# "ConfigRuleName": "restricted-ssh",
# "TargetType": "SSM_DOCUMENT",
# "TargetId": "AWS-DisablePublicAccessForSecurityGroup",
# "Automatic": true,
# "Parameters": {}
# }
# Create EventBridge rule to track AWS Config noncompliance events and notify SNS topic
aws events put-rule --name "NotifyOnRestrictedSSHViolation" --event-pattern '{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"configRuleName": ["restricted-ssh"],
"complianceType": ["NON_COMPLIANT"]
}
}'
aws events put-targets --rule NotifyOnRestrictedSSHViolation --targets "Id"="1","Arn"="arn:aws:sns:region:account-id:SysOpsAlerts"
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Compliance Accuracy | Risk of Disruption | Comments |
|---|---|---|---|---|---|
| A | Medium | Medium | Low (custom logic) | High (removes all rules) | Overly broad remediation, manual evaluation |
| B | High | Low/Medium | Low | Medium | Metric filters not granular, relies on Lambda logic |
| C | Low | High | High | Low | Best practice: fully managed AWS Config + SSM |
| D | Medium | Medium | Low | High (suspends entire SG) | Overly disruptive, risk of blocking valid access |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWS Config managed rules + Systems Manager Automation when you see automated compliance enforcement with remediation.
Real World #
In complex environments, you could augment this with Lambda-written custom rules or fine-tuned EventBridge rules, but starting with AWS Config managed rules ensures you meet compliance quickly with minimal operational effort.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.