Q38 — AWS DOP-C02 Ch.2
Question 38 of 100 | ← Chapter 2
A company operates a data ingestion application across multiple AWS accounts within an AWS Organization. The company needs to monitor the application and consolidate access to it. Currently, the application runs on Amazon EC2 instances in an Auto Scaling group. The EC2 instances cannot access the internet because the data is sensitive. Engineers have deployed necessary VPC endpoints. The EC2 instances run a custom AMI built specifically for the application. For maintenance and troubleshooting, system administrators need to log in to the EC2 instances. This access must be automated and centrally controlled. Each time an instance is accessed, the company’s security team must receive a notification.
- A. Create an Amazon EventBridge rule to notify the security team when a user logs into an EC2 instance. Use EC2 Instance Connect to log in to the instance. Deploy the Auto Scaling group using AWS CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routing for external access. Rebuild the custom AMI to include the AWS Systems Manager Agent.
- B. Deploy a NAT gateway and a bastion host with internet access. Create a security group allowing inbound traffic from the bastion host to all EC2 instances. Install the AWS Systems Manager Agent on all EC2 instances. Use Auto Scaling group lifecycle hooks to monitor and audit access. Log in to instances using Systems Manager Session Manager. Send logs to an Amazon CloudWatch Logs log group. Export data to Amazon S3 for auditing. Use S3 event notifications to alert the security team.
- C. Rebuild the custom AMI using EC2 Image Builder. Include the latest version of the AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances. Use Systems Manager Session Manager to log in to instances. Log session details to Amazon S3. Create S3 event notifications for new file uploads to send messages to the security team via an Amazon Simple Notification Service (Amazon SNS) topic. ✓
- D. Use AWS Systems Manager Automation to build the Systems Manager Agent into the custom AMI. Configure AWS Config to attach a Service Control Policy (SCP) to the root organizational unit to allow EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to instances. Log session details to Amazon S3. Create S3 event notifications for new file uploads to send messages to the security team via an Amazon SNS topic.
Correct Answer: C. Rebuild the custom AMI using EC2 Image Builder. Include the latest version of the AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances. Use Systems Manager Session Manager to log in to instances. Log session details to Amazon S3. Create S3 event notifications for new file uploads to send messages to the security team via an Amazon Simple Notification Service (Amazon SNS) topic.
Explanation
AWS Systems Manager (SSM) Session Manager enables secure, internet-free connections to EC2 instances via VPC endpoints. The solution requires rebuilding the custom AMI using EC2 Image Builder to include the latest SSM Agent and attaching the AmazonSSMManagedInstanceCore IAM role to instances. Session Manager logs session details automatically to S3; S3 event notifications trigger SNS alerts to the security team. This approach avoids bastion hosts or NAT gateways, satisfying the no-internet-access, centralized control, and security audit requirements. Option B violates the no-internet constraint; Option D misapplies SCPs at the organization level rather than directly configuring the Auto Scaling group. Only Option C fulfills all requirements via IAM roles and VPC endpoints.