Q33 — AWS DOP-C02 Ch.1

Question 33 of 100 | ← Chapter 1

A company operates hundreds of Amazon EC2 instances in a single AWS Region within one AWS account. Each day, new EC2 instances are launched and terminated in the account. The account also includes existing EC2 instances that have been running for over a week. The company's security policy requires that all running EC2 instances use an EC2 instance profile. If an EC2 instance launches without an attached instance profile, it defaults to using an unassigned IAM role with no permissions. A DevOps engineer inspects the account and discovers EC2 instances running without an attached instance profile. During the review period, the DevOps engineer observes new EC2 instances launching without an instance profile. Which solution ensures that an instance profile is attached to all existing and future EC2 instances in the Region?

Correct Answer: B. Configure the ec2-instance-profile-attached AWS Config managed rule with a configuration change trigger type. Configure the automatic remediation action to invoke an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instance.

Explanation

Option B is correct. AWS Config managed rules continuously monitor configuration changes for EC2 instances. The 'ec2-instance-profile-attached' rule specifically detects when an instance lacks an instance profile. When noncompliant resources are identified, automatic remediation can invoke an AWS Systems Manager Automation runbook to attach the default instance profile—ensuring compliance for both existing and newly launched instances. Option A targets only RunInstances API calls and may miss instances launched via other mechanisms (e.g., Auto Scaling). Option C targets StartInstances, which applies only to stopped instances—not initial launch—and thus provides incomplete coverage. Option D addresses IAM role managed policies, not instance profile attachment, making it irrelevant to the stated requirement.