Q56 — AWS DOP-C02 Ch.1

Question 56 of 100 | ← Chapter 1

A healthcare insurance services company is concerned about rising software licensing costs for an application that monitors patient health. The company wants to create an audit process to ensure the application runs only on Amazon EC2 Dedicated Hosts. A DevOps engineer needs to create a workflow to audit the application and ensure compliance. What steps should the engineer take to meet this requirement with minimal administrative overhead?

Correct Answer: C. Use AWS Config. Enable configuration recording for all Amazon EC2 resources in the region to identify all EC2 instances to audit. Create a custom AWS Config rule using the 'config-rule-change-triggered' blueprint to invoke an AWS Lambda function. Modify the Lambda evaluateCompliance() function to verify host placement and return NON_COMPLIANT if the instance is not running on an EC2 Dedicated Host. Use AWS Config reports to identify and resolve noncompliant instances.

Explanation

Option C is correct because AWS Config provides native, automated, and scalable compliance auditing for AWS resource configurations—including EC2 instance placement. By enabling configuration recording and creating a custom rule with a Lambda evaluator, the solution continuously detects noncompliant instances (i.e., those not on Dedicated Hosts) and surfaces findings via AWS Config reports—all with no custom code, minimal infrastructure, and zero ongoing maintenance. Options A, B, and D introduce unnecessary complexity, custom logic, and multiple managed services, increasing cost, latency, and administrative burden. Therefore, Option C delivers the lowest operational overhead while meeting compliance requirements.