Q91 — AWS DOP-C02 Ch.1
Question 91 of 100 | ← Chapter 1
A company operates hundreds of Amazon EC2 instances in a single AWS Region within one AWS account. New EC2 instances are launched and terminated daily in this account. Some EC2 instances have been running for more than one week. The company’s security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance launches without an instance profile attached, it uses the default instance profile with no assigned IAM permissions. A DevOps engineer audits the account and discovers EC2 instances running without attached instance profiles. During the review period, the engineer also observes new EC2 instances launching without instance profiles.
- A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that responds to EC2 RunInstances API calls. Configure the rule to invoke an AWS Lambda function that attaches the default instance profile to the EC2 instance.
- B. Configure the ec2-instance-profile-attached AWS Config managed rule with configuration change trigger type. Configure auto-remediation action to invoke an AWS Systems Manager Automation runbook that attaches the default instance profile to the EC2 instance. ✓
- C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that responds to EC2 StartInstances API calls. Configure the rule to invoke an AWS Systems Manager Automation runbook that attaches the default instance profile to the EC2 instance.
- D. Configure the iam-role-managed-policy-check AWS Config managed rule with configuration change trigger type. Configure auto-remediation action to invoke an AWS Lambda function that attaches the default instance profile to the EC2 instance.
Correct Answer: B. Configure the ec2-instance-profile-attached AWS Config managed rule with configuration change trigger type. Configure auto-remediation action to invoke an AWS Systems Manager Automation runbook that attaches the default instance profile to the EC2 instance.
Explanation
Option B is the most secure and appropriate solution: AWS Config’s ec2-instance-profile-attached managed rule detects noncompliant EC2 instances at launch (configuration change trigger) and invokes Systems Manager Automation for remediation—ensuring consistent, auditable, and idempotent attachment of the default instance profile to both existing and newly launched instances. Option A relies on RunInstances events but may miss instances launched before rule creation or via alternate paths; Lambda-based remediation lacks built-in retry and execution visibility. Option C triggers only on StartInstances, missing instances launched without profiles. Option D uses an irrelevant IAM rule and Lambda, which is less robust than Systems Manager Automation for instance-level remediation.