Q47 — AWS DOP-C02 Ch.1
Question 47 of 100 | ← Chapter 1
A company uses AWS Systems Manager to manage Amazon Linux EC2 instances with the SSM Agent installed. All EC2 instances are configured to use Instance Metadata Service Version 2 (IMDSv2) and run in the same AWS account and Region. The company’s policy requires developers to use only Amazon Linux. The company wants to ensure that new EC2 instances are automatically managed by Systems Manager immediately after creation.
- A. Create an IAM role with a trust policy allowing Systems Manager to assume the role. Attach the latest AmazonSSMManagedInstanceCore managed policy to the role. Configure the SSM service setting 'Default EC2 instance management role' to use this role. ✓
- B. Ensure AWS Config is enabled. Create an AWS Config rule to verify whether the SSM Agent is installed on EC2 instances. Configure the rule to run on EC2 configuration changes. Configure automatic remediation to run the AWS-InstallSSMAgent document to install the SSM Agent.
- C. Configure Systems Manager Patch Manager. Create a patch baseline to automatically install the SSM Agent on all new EC2 instances. Create a patch group for all EC2 instances. Attach the patch baseline to the patch group. Create a maintenance window and maintenance window task to install the SSM Agent daily.
- D. Create an EC2 instance role with a trust policy allowing Amazon EC2 to assume the role. Attach the AmazonSSMManagedInstanceCore managed policy to the role. Ensure AWS Config is enabled. Use the managed AWS Config rule 'EC2InstanceManagedBySSM' to verify whether the role is attached to EC2 instances. Configure the rule to run on EC2 configuration changes. Configure automatic remediation to run the AWS-ConfigureAWSPackageManager SSM document to attach the role to EC2 instances.
Correct Answer: A. Create an IAM role with a trust policy allowing Systems Manager to assume the role. Attach the latest AmazonSSMManagedInstanceCore managed policy to the role. Configure the SSM service setting 'Default EC2 instance management role' to use this role.
Explanation
The scenario involves configuring AWS Systems Manager (SSM) so new EC2 instances are automatically managed upon launch. Answer A focuses on IAM role configuration—the core prerequisite. The IAM role’s trust policy must allow the EC2 service to assume it, and the AmazonSSMManagedInstanceCore policy must be attached to grant SSM required permissions. Setting the Systems Manager default EC2 instance management role ensures the role is applied automatically at instance launch. Other options rely on remediation or non-immediate configurations and do not guarantee management at launch time. AWS documentation emphasizes that EC2 instances require the correct IAM role to interact with SSM; role configuration is foundational. Options B, C, and D involve AWS Config rules, Patch Manager, or automated remediation steps, none of which directly address role assignment at instance launch.