Q94 — AWS DOP-C02 Ch.2

Question 94 of 100 | ← Chapter 2

A company operates a data ingestion application across multiple AWS accounts. These accounts are part of an organization in AWS Organizations. The company needs to monitor the application and consolidate access to it. Currently, the application runs on Amazon EC2 instances across multiple Auto Scaling groups. The EC2 instances cannot access the internet because the data is sensitive. Engineers have deployed required VPC endpoints. The EC2 instances run a custom AMI built specifically for the application. To maintain the application and troubleshoot issues, system administrators need to log in to the EC2 instances. This access must be automated and centrally controlled. Whenever an instance is accessed, the company’s security team must receive a notification. Which solution meets these requirements?

Correct Answer: C. Rebuild the custom AMI using EC2 Image Builder. Include the latest version of the AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send messages to an Amazon Simple Notification Service (Amazon SNS) topic for the security team.

Explanation

Option C is the correct solution. First, rebuilding the custom AMI using EC2 Image Builder and including the latest version of the AWS Systems Manager Agent ensures availability of systems management capabilities. Second, configuring the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances provides the necessary permissions for subsequent management operations. Third, using Systems Manager Session Manager enables centralized, automated, and secure access to instances. Fourth, enabling session detail logging to Amazon S3 and configuring S3 event notifications via an Amazon SNS topic satisfies the requirement that the security team receives notifications upon access. Collectively, Option C fulfills all stated requirements.