Q53 — AWS DOP-C02 Ch.2

Question 53 of 100 | ← Chapter 2

A security team is concerned that developers might attach an Elastic IP address to production Amazon EC2 instances. Attaching Elastic IP addresses to instances is prohibited for all developers. If any production server has an Elastic IP address attached at any time, the security team must be notified. How can this task be automated?

Correct Answer: B. Attach an IAM policy to the developers' IAM group to deny the associate-address permission. Create a custom AWS Config rule to check whether Elastic IP addresses are associated with any instances tagged as production and alert the security team.

Explanation

This question primarily involves the combined application of AWS permission management and resource configuration monitoring. AWS documentation states that combining IAM policies to restrict specific actions with AWS Config custom rules for continuous resource state monitoring is a common security practice. Option B first explicitly denies developers the associate-address permission via IAM policy, preventing the action at the source. Second, it uses AWS Config managed or custom rules to monitor in real time whether instances tagged as 'production' are associated with Elastic IP addresses—meeting the requirement for monitoring and alerting. Option C relies on scheduled Lambda functions rather than real-time monitoring, potentially missing timely detection. Option D incorrectly conflates IAM roles with EC2 instance permissions, and Option A requires manual or additional scheduling with Athena queries, resulting in lower efficiency. Option B simultaneously addresses both permission control and real-time monitoring, satisfying the two core requirements in the scenario.