Q73 — AWS DOP-C02 Ch.2

Question 73 of 100 | ← Chapter 2

A company’s development teams manage a set of accounts inherited from a previous organization. These accounts reside within an organization in AWS Organizations. The company needs a solution to ensure all Amazon EC2 instances use only approved AMIs managed by developers. The solution must automatically remediate usage of unapproved, noncompliant systems. Individual account administrators must not be able to disable enforcement of approved noncompliant system usage.

Correct Answer: D. Enable AWS Systems Manager Automation Compliance across the organization. Create a compliance pack that uses approved AMIs and deploy it across the organization. Configure the rule to run the AWS-STOP2EC2Instances Systems Manager Automation runbook for noncompliant EC2 instances.

Explanation

AWS Systems Manager Automation Compliance and compliance packs enable centralized definition and deployment of compliance policies to ensure all EC2 instances use only approved AMIs. Deploying a compliance pack organization-wide enforces rules across all member accounts, and local administrators cannot override them. AWS Systems Manager Automation runbooks can automatically remediate noncompliant instances—for example, stopping unauthorized instances. This solution integrates AWS Config rules, compliance packs, and automated remediation, satisfying requirements for centralized governance, automatic correction, and prevention of local override. Option D aligns with AWS documentation on automated compliance configuration and organization-wide deployment.