There are many questions asked to identify the best AWS service to detect unrestricted access over some ports.
1. You have been asked to investigate whether unrestricted SSH access is enabled to any of your EC2 instances. How should you approach this?
a. Use AWS Config to check which Security Groups are configured with unrestricted access
b. Use Kali Linux to run a penetration test
c. Use Trusted Advisor to report Security Groups configured with unrestricted access
d. Run an Inspector assessment using Runtime behavior analysis rule package
2. You have been asked to make sure that insecure protocols like Telnet and FTP are disabled on all of your EC2 instances. You would like to perform a regular automated review of your environment. Which of the following solutions will meet this requirement?
a. Use a Lambda scheduled event to launch Trusted Advisor to run a check on security best practices
b. Use a scheduled Lambda event to trigger AWS Config to evaluate the restricted-common-ports rule for every EC2 instance.
c. Use a CloudWatch Event to trigger AWS Config to evaluate the restricted-common-ports rule for every EC2 instance.
d. Use CloudWatch Events to schedule Amazon Inspector to complete a Runtime Behaviour Analysis check on every EC2 instance.
This is a clear answer as CloudWatch Events can only trigger Inspector but not Config or Trusted Advisor.
Can we draw a line on which service to use; based on different conditions like cost, low maintenance, ease of deployment, feature etc?
I think if you need to know if you have any unrestricted ports opened on your EC2 instance (e.g Port 22 is opened to 0.0.0.0/0 and ::0/0 in your security group), you can use the AWS config or trusted advisor. if you want to know if your EC2 instance is reachable over IGW or VWG or VPC peering on some ports then you can use AWS inspector. If you need to know if your EC2 instance is connecting to another host for logining using insecure protocol instead of SSH, then you should use the AWS Inspector.