Q56 — AWS DOP-C02 Ch.1
Question 56 of 100 | ← Chapter 1
A healthcare insurance services company is concerned about rising software licensing costs for an application that monitors patient health. The company wants to create an audit process to ensure the application runs only on Amazon EC2 Dedicated Hosts. A DevOps engineer needs to create a workflow to audit the application and ensure compliance. What steps should the engineer take to meet this requirement with minimal administrative overhead?
- A. Use AWS Systems Manager Compliance. Use calls to the put-compliance-items API to scan and build a database of noncompliant EC2 instances based on host placement. Store these instance IDs in an Amazon DynamoDB table for quick access. Generate reports using the list-compliance-summaries API operation via Systems Manager.
- B. Use custom Java code running on EC2 instances. Scale EC2 Auto Scaling based on the number of instances to check. Send a list of noncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instance to process instance IDs from the SQS queue and write them to Amazon DynamoDB. Use an AWS Lambda function to terminate noncompliant instances retrieved from the queue and send notifications to an Amazon SNS email topic.
- C. Use AWS Config. Enable configuration recording for all Amazon EC2 resources in the region to identify all EC2 instances to audit. Create a custom AWS Config rule using the 'config-rule-change-triggered' blueprint to invoke an AWS Lambda function. Modify the Lambda evaluateCompliance() function to verify host placement and return NON_COMPLIANT if the instance is not running on an EC2 Dedicated Host. Use AWS Config reports to identify and resolve noncompliant instances. ✓
- D. Use AWS CloudTrail. Analyze all calls to the EC2 RunCommand API to identify all EC2 instances to audit. Invoke an AWS Lambda function to analyze instance host placement. Store noncompliant EC2 instance IDs in an Amazon RDS MySQL database instance. Generate reports by querying the RDS instance and export results as CSV.
Correct Answer: C. Use AWS Config. Enable configuration recording for all Amazon EC2 resources in the region to identify all EC2 instances to audit. Create a custom AWS Config rule using the 'config-rule-change-triggered' blueprint to invoke an AWS Lambda function. Modify the Lambda evaluateCompliance() function to verify host placement and return NON_COMPLIANT if the instance is not running on an EC2 Dedicated Host. Use AWS Config reports to identify and resolve noncompliant instances.
Explanation
Option C is correct because AWS Config provides native, automated, and scalable compliance auditing for AWS resource configurations—including EC2 instance placement. By enabling configuration recording and creating a custom rule with a Lambda evaluator, the solution continuously detects noncompliant instances (i.e., those not on Dedicated Hosts) and surfaces findings via AWS Config reports—all with no custom code, minimal infrastructure, and zero ongoing maintenance. Options A, B, and D introduce unnecessary complexity, custom logic, and multiple managed services, increasing cost, latency, and administrative burden. Therefore, Option C delivers the lowest operational overhead while meeting compliance requirements.