Q11 — AWS DOP-C02 Ch.1

Question 11 of 100 | ← Chapter 1

A company operates hundreds of Amazon EC2 instances in a single AWS account and Region. The company frequently launches and terminates new EC2 instances. The account includes long-running EC2 instances that operate for more than one week.

Correct Answer: B. Configure AWS Config. Deploy the managed rule 'ec2-instance-profile-attached'. Configure an automatic remediation action invoking an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instance.

Explanation

The AWS Config managed rule 'ec2-instance-profile-attached' validates whether EC2 instances have an instance profile attached. When deployed, AWS Config continuously evaluates compliance for all EC2 instances—including pre-existing, long-running, and newly launched ones. Upon detecting noncompliant instances, the configured automatic remediation triggers an SSM Automation document to attach the default instance profile. This ensures full coverage across legacy, persistent, and dynamic workloads, satisfying the security policy requirement that 'all running instances must have an instance profile attached.' Option C’s event-driven approach cannot retroactively assess existing noncompliant instances. Options A and D introduce unnecessary complexity in Lambda permissions and execution context.