SAP-C02 第 44 题
题目
A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is configured in each account. All accounts belong to either the Prod OU or the NonProd OU. The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The company’s security team is subscribed to the SNS topic. For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source. Which solution will meet this requirement with the LEAST operational overhead? NonProd OU。
中文翻译:
一家公司有 10 个账户,这些账户属于 AWS Organizations 中的一个组织。 AWS Config 在每个账户中配置。所有帐户都属于 Prod OU 或 NonProd OU。该公司在每个 AWS 账户中设置了一条 Amazon EventBridge 规则,以便在使用 0.0.0.0/0 作为源创建 Amazon EC2 安全组入站规则时通知 Amazon Simple Notification Service (Amazon SNS) 主题。公司的安全团队订阅了 SNS 主题。对于 NonProd OU 中的所有账户,安全团队需要删除创建包含 0.0.0.0/0 作为源的安全组入站规则的功能。哪种解决方案能够以最少的运营开销满足这一要求?非产品 OU。
选项
A. Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic. Deploy the updated rule to the NonProd OU. NonProd OU。
中文翻译:
修改 EventBridge 规则以调用 AWS Lambda 函数来删除安全组入站规则并发布到 SNS 主题。将更新后的规则部署到 NonProd OU。非产品 OU。
B. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.
中文翻译:
将 vpc-sg-open-only-to-authorized-ports AWS Config 托管规则添加到 NonProd OU。
C. Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU. NonProd OU。
中文翻译:
配置 SCP 以在 aws:SourceIp 条件键的值不是 0.0.0.0/0 时允许 ec2:AuthorizeSecurityGroupIngress 操作。将 SCP 应用到 NonProd OU。非产品 OU。
D. Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU. NonProd OU。
中文翻译:
配置 SCP 以在 aws:SourceIp 条件键的值为 0.0.0.0/0 时拒绝 ec2:AuthorizeSecurityGroupIngress 操作。将 SCP 应用到 NonProd OU。非产品 OU。
答案
D
解析
正确答案:D 解析: 本题应选择 D。 正确选项: D. 配置 SCP 以在 aws:SourceIp 条件键的值为 0.0.0.0/0 时拒绝 ec2:AuthorizeSecurityGroupIngress 操作。将 SCP 应用到 NonProd OU。非产品 OU。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安...