A company uses AWS Organizations to manage multiple AWS accounts. A CloudOps engineer must identify all IPv4 ports open to 0.0.0.0/0 across the organization’s accounts.
Which solution will meet this requirement with the LEAST operational effort?
A.
Use the AWS CLI to print all security group rules for review.
B.
Review AWS Trusted Advisor findings in an organizational view for the Security Groups – Specific Ports Unrestricted check.
C.
Create an AWS Lambda function to gather security group rules from all accounts. Aggregate the findings in an Amazon S3 bucket.
D.
Enable Amazon Inspector in each account. Run an automated workload discovery job.
According to AWS Cloud Operations and Governance documentation, AWS Trusted Advisor provides automated checks for security group rules across all accounts, including identifying ports open to 0.0.0.0/0.
When viewed in organizational mode, Trusted Advisor integrates with AWS Organizations, allowing administrators to access organization-wide security findings from a central management account. This approach requires no custom code, additional infrastructure, or manual inspection, providing immediate visibility and the lowest operational overhead.
AWS CLI scripts (Option A) or Lambda automation (Option C) introduce additional maintenance, and Amazon Inspector (Option D) is focused on instance-level vulnerabilities, not network access rules.
Therefore, Option B is the AWS-recommended CloudOps best practice for centralized and low-effort open-port auditing.
[Reference: AWS Cloud Operations & Governance Guide – Using Trusted Advisor Organizational View for Security Group Port Checks, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit