Company policy requires that all insecure server protocols, such as FTP, Telnet, Http, etc, be disabled on all the servers. The security team would like to regularly check whether all the servers to ensure compliance with this requirements by using a scheduled Cloud Watch event to trigger a review of the current infrastructure
What process will check compliance of the company’s EC2 instance?
A) Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance
B) Query the Trusted Advisor API for all best Practice security checks and check for "action recommended" status
C) Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance
D) Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance
My two cents:
A. Looks ok since you can define the rule to scan insecure ports in Cloud Config
B. Trust Advisor also provide scan on the secure group. Not sure whether it covers all risk ports
C. GuardDuty can do port scan as well
D. Inspector has a rule: Insecure Server Protocols.
This rule helps determine whether your EC2 instances allow support for insecure and unencrypted ports/ services such as FTP, Telnet, HTTP, IMAP, POP version 3, SMTP, SNMP versions 1 and 2, rsh, and rlogin.
It looks D is most closed to the answer but A, B, C also can meet the goal. So I really don’t know which one to choose. Please let me know your thoughts
D seem to be correct here. A and B both focus on security groups rather than the instances themselves. Guard Duty is mainly focused on log analysis and threat correlation rather than resource compliance
I think that D is the only option that will find if the protocols are disabled in the instance. If the protocols were enabled but not using default ports, A would not help.
scheduled Cloud Watch event to trigger a review of the current infrastructure, this statement leaves D as the only option. further, good observation by Dan here regarding protocols listening on non standard ports.
Inspector can be triggered by CloudWatch, but not Config. Thus D should be the answer I guess.