Trusted Advisor Checks & Automation

[claude]

The following question in the 2nd test asks :

You have a separate AWS account on which developers can freely spawn their own AWS resources and test their new builds. Given the lax restriction in this environment, you checked AWS Trusted Advisor and it shows that several instances use the default security group rule that opens inbound port 22 to all IP addresses. Even for a test environment, you still want to restrict the port 22 access from the Public IP of your on-premises data center only. With this, you want to be notified of any security check recommendations from Trusted Advisor and automatically solve the non-compliance based on the results.

What are the steps that you should take to set up the required solution? (Select THREE)

correct answers :

-Create a Lambda function and integrate CloudWatch Events and AWS Lambda to execute the function on a regular schedule to check AWS Trusted Advisor via API. Based on the results, publish a message to an SNS Topic to notify the subscribers.

-Set up custom AWS Config rule that checks security groups to make sure that port 22 is not open to public. Send a notification to an SNS topic for non-compliance.

-Set up custom AWS Config rule to execute a remediation action using AWS Systems Manager Automation to update the publicly open port 22 on the instances and restrict to only your office’s public IP.

incorrect answer that looks OK :

-Create a Lambda function that executes every hour to refresh AWS Trusted Advisor scan results via API. The automated notification on AWS trusted Advisor will notify you of any changes.

obvious incorrect answers

-Create an AWS Config Cron job to schedule your checks on all AWS security groups and send results to SNS for the non-compliance notification.

-Set up custom AWS Config rule to execute a remediation action that triggers a Lambda Function to update the publicly open port 22 in the security group and restrict to only your office’s public IP.

My issue here is that Trusted advisor needs to be “refreshed” in order to be able to give up to date results, otherwise you won’t have consistent results.

So a solution that does not include that refresh won’t be acceptable.

the Explanations say :

The option that says: Create a Lambda function that executes every hour to refresh AWS Trusted Advisor scan results via API. The automated notification on AWS trusted Advisor will notify you of any changes is incorrect because the notification is only sent on a weekly basis, which can be quite long if you are concerned about security issues.

Is still valid because although you can use another notification mean to fulfill your needs, you cannot afford to skip a refresh step.

What do you think ?

regards,

Claude.

[Jon-Bonso]

Hi Claude,

Basically, you can enable weekly email notifications from Trusted Advisor in the Preferences page of the Trusted Advisor console, as described in this reference:

https://aws.amazon.com/premiumsupport/knowledge-center/trusted-advisor-notifications/

In the option that you are referring to, the first part of it makes sense since it uses the AWS Trusted Advisor API for the most up-to-date scan results. The issue lies in the second part where it uses the automated email notification, which is sent on a weekly basis.

Take note that it is not mandatory to “refresh” the scan results of the Trusted Advisor check. If you are using its API, then you will get the latest data.

Alternatively, you can use Amazon CloudWatch Events to monitor the status of Trusted Advisor checks. You can then use Amazon CloudWatch to create alarms on Trusted Advisor metrics. These alarms notify you when the status changes for a Trusted Advisor check, such as an updated resource or a service quota that is reached.

Reference:

https://docs.aws.amazon.com/awssupport/latest/user/cloudwatch-ta.html

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

Regards,

Jon Bonso @ Tutorials Dojo