Q512. A solution activated for the organization. All production AWS accounts exist under an OU that is named "production." Systems operators have full
Administrative privileges within these accounts by using IAM roles.The company wants to ensure that security groups in all production accounts do not allow inbound traffic for TCP port 22 All noncompliant security groups must be remediated immediately and no new rules that allow port 22 can be created.Which solution will meet these requirements?
A.Write an SCP that denies the CreateSecurityGroup action with a condition of ec2:Ingress rule with value 22 Apply theSCP to the "production" OU. B.Configure an AWS CloudTrail trail for all accounts. Send CloudTrail logs to an Amazon S3 bucket in the Organizationsmanagement account Configure an AWS Lambda function on the management account with permissions to assume arole in all production accounts to describe and modify security groups. Configure Amazon S3 to invoke the Lambdafunction on every PutObject event on the S3 bucket Configure the Lambda function to analyze each CloudTrail event for noncompliant security group actions and to automatically remediate any issues. C.Create an Amazon EventBridge (Amazon CloudWatch Events) event bus in the Organizations management accountCreate an AWS CloudFormation template to deploy configurations that send CreateSecurityGroup events to the eventbus from all production accounts. Configure an AWS Lambda function in the management account with permissions toassume a role in all production accounts to describe and modify security groups. Configure the event bus to invoke theLambda function. Configure the Lambda function to analyze each event for noncompliant security group actions and toautomatically remediate any issues. D.Create an AWS CloudFormation template to tum on AWS Config. Activate the INCOMING SSH DISABLED AWS Configmanaged rule. Deploy an AWS正确答案D
Lambda function that will run based on AWS Config findings and will remediatenoncompliant resources. Deploy the CloudFommation template by using a StackSet thatis assigned to the "production"OU. Apply an SCP to the OU to deny modification of the resources that the CloudFormation template provisions.
