Q73 — AWS DOP-C02 Ch.2
Question 73 of 100 | ← Chapter 2
A company’s development teams manage a set of accounts inherited from a previous organization. These accounts reside within an organization in AWS Organizations. The company needs a solution to ensure all Amazon EC2 instances use only approved AMIs managed by developers. The solution must automatically remediate usage of unapproved, noncompliant systems. Individual account administrators must not be able to disable enforcement of approved noncompliant system usage.
- A. Use AWS CloudFormation StackSets to deploy Amazon EventBridge rules to each account. Configure the rule to respond to AWS CloudTrail events for Amazon EC2 and send notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps team’s email address to the topic.
- B. Use AWS CloudFormation StackSets to deploy AWS Config managed rules to each account monthly. Configure the rule against an approved list of noncompliant systems. Configure the rule to run the AWS-STOP2EC2Instances Systems Manager Automation runbook for noncompliant EC2 instances.
- C. Create an AWS Lambda function for Amazon EC2 to process AWS CloudTrail events. Configure the Lambda function to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps team’s email address to the topic. Deploy the Lambda function in each account in the organization. Create an Amazon EventBridge rule in each account. Configure the EventBridge rule for AWS CloudTrail events for Amazon EC2 and invoke the Lambda function.
- D. Enable AWS Systems Manager Automation Compliance across the organization. Create a compliance pack that uses approved AMIs and deploy it across the organization. Configure the rule to run the AWS-STOP2EC2Instances Systems Manager Automation runbook for noncompliant EC2 instances. ✓
Correct Answer: D. Enable AWS Systems Manager Automation Compliance across the organization. Create a compliance pack that uses approved AMIs and deploy it across the organization. Configure the rule to run the AWS-STOP2EC2Instances Systems Manager Automation runbook for noncompliant EC2 instances.
Explanation
AWS Systems Manager Automation Compliance and compliance packs enable centralized definition and deployment of compliance policies to ensure all EC2 instances use only approved AMIs. Deploying a compliance pack organization-wide enforces rules across all member accounts, and local administrators cannot override them. AWS Systems Manager Automation runbooks can automatically remediate noncompliant instances—for example, stopping unauthorized instances. This solution integrates AWS Config rules, compliance packs, and automated remediation, satisfying requirements for centralized governance, automatic correction, and prevention of local override. Option D aligns with AWS documentation on automated compliance configuration and organization-wide deployment.