Q53 — AWS DOP-C02 Ch.2
Question 53 of 100 | ← Chapter 2
A security team is concerned that developers might attach an Elastic IP address to production Amazon EC2 instances. Attaching Elastic IP addresses to instances is prohibited for all developers. If any production server has an Elastic IP address attached at any time, the security team must be notified. How can this task be automated?
- A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-address attempts. Create an AWS Lambda function to disassociate the Elastic IP address from the instance and alert the security team.
- B. Attach an IAM policy to the developers' IAM group to deny the associate-address permission. Create a custom AWS Config rule to check whether Elastic IP addresses are associated with any instances tagged as production and alert the security team. ✓
- C. Ensure that all IAM groups associated with developers lack the associate-address permission. Create a scheduled AWS Lambda function to check whether Elastic IP addresses are associated with any instances tagged as production, and alert the security team if an instance has an associated Elastic IP address.
- D. Create an AWS Config rule to verify that all production instances have an EC2 IAM role containing a deny permission for associate-address. Validate whether any Elastic IP address is associated with any instance, and alert the security team if an instance has an associated Elastic IP address.
Correct Answer: B. Attach an IAM policy to the developers' IAM group to deny the associate-address permission. Create a custom AWS Config rule to check whether Elastic IP addresses are associated with any instances tagged as production and alert the security team.
Explanation
This question primarily involves the combined application of AWS permission management and resource configuration monitoring. AWS documentation states that combining IAM policies to restrict specific actions with AWS Config custom rules for continuous resource state monitoring is a common security practice. Option B first explicitly denies developers the associate-address permission via IAM policy, preventing the action at the source. Second, it uses AWS Config managed or custom rules to monitor in real time whether instances tagged as 'production' are associated with Elastic IP addresses—meeting the requirement for monitoring and alerting. Option C relies on scheduled Lambda functions rather than real-time monitoring, potentially missing timely detection. Option D incorrectly conflates IAM roles with EC2 instance permissions, and Option A requires manual or additional scheduling with Athena queries, resulting in lower efficiency. Option B simultaneously addresses both permission control and real-time monitoring, satisfying the two core requirements in the scenario.