This question asked to select 1 answer from the following answer choices:
Trusted Advisor
CloudWatch
Config
CloudFormation
I selected Config which was marked incorrect and Trusted Advisor was shown as the correct answer.
My question is this: I understand that you can use Trusted Advisor to perform this check however I believe that this check can also be performed via Config. Why would Trusted Advisor be a better answer for this question?
If both answers are equally correct then should the answer choices be modified for this question and/or the question reworded?
4 Answers
Config, by itself, is only going to record your configuration. You would need to add a rule for port 22 open to the world for it to show anything "out of compliance". I suspect that is why Trusted Advisor is the answer because you don’t do extra steps for that.
Trusted Advisor is the more correct answer because this TA check is enabled by default. In config, you must either enable a managed rule or create a custom rule to check compliance status. On the exam, you must evaluate and select the more correct answer.
I agree with Rick on this. The open port 22 is a default rule that gets reported by Trusted Advisor. You’d need to configure this on AWS Config. I would agree that Config is probably the better place if you’re doing this in the real world.
Config can absolutely do this to not only detect an open port but even perform remediation actions to remove the rule from the security group. But it must be configured. Trusted Advisor can do this out of the box. Because the question is worded as "Which service can you use" then both answers should be correct, even though one service is by default. So in other words to directly answer the question, can you use AWS config to find out if you have accidentally configured one of your Security Groups with SSH access on port 22 open to the world? yes.
Config is usually the better real-world service for this. In practice, this is probably not the only rule you’ll have set up for compliance checks, in which case you’ll need Config anyway (assuming you need checks than the ones available in TA). May as well set up all your rules in one place rather than using both.
Agree here. Would love if question ambiguity were removed. A caveat such as, prior to the rule being deployed, or what is the best answer would be helpful IMHO.