Q38 — AWS DOP-C02 Ch.2

Question 38 of 100 | ← Chapter 2

A company operates a data ingestion application across multiple AWS accounts within an AWS Organization. The company needs to monitor the application and consolidate access to it. Currently, the application runs on Amazon EC2 instances in an Auto Scaling group. The EC2 instances cannot access the internet because the data is sensitive. Engineers have deployed necessary VPC endpoints. The EC2 instances run a custom AMI built specifically for the application. For maintenance and troubleshooting, system administrators need to log in to the EC2 instances. This access must be automated and centrally controlled. Each time an instance is accessed, the company’s security team must receive a notification.

Correct Answer: C. Rebuild the custom AMI using EC2 Image Builder. Include the latest version of the AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances. Use Systems Manager Session Manager to log in to instances. Log session details to Amazon S3. Create S3 event notifications for new file uploads to send messages to the security team via an Amazon Simple Notification Service (Amazon SNS) topic.

Explanation

AWS Systems Manager (SSM) Session Manager enables secure, internet-free connections to EC2 instances via VPC endpoints. The solution requires rebuilding the custom AMI using EC2 Image Builder to include the latest SSM Agent and attaching the AmazonSSMManagedInstanceCore IAM role to instances. Session Manager logs session details automatically to S3; S3 event notifications trigger SNS alerts to the security team. This approach avoids bastion hosts or NAT gateways, satisfying the no-internet-access, centralized control, and security audit requirements. Option B violates the no-internet constraint; Option D misapplies SCPs at the organization level rather than directly configuring the Auto Scaling group. Only Option C fulfills all requirements via IAM roles and VPC endpoints.