Q94 — AWS DOP-C02 Ch.2
Question 94 of 100 | ← Chapter 2
A company operates a data ingestion application across multiple AWS accounts. These accounts are part of an organization in AWS Organizations. The company needs to monitor the application and consolidate access to it. Currently, the application runs on Amazon EC2 instances across multiple Auto Scaling groups. The EC2 instances cannot access the internet because the data is sensitive. Engineers have deployed required VPC endpoints. The EC2 instances run a custom AMI built specifically for the application. To maintain the application and troubleshoot issues, system administrators need to log in to the EC2 instances. This access must be automated and centrally controlled. Whenever an instance is accessed, the company’s security team must receive a notification. Which solution meets these requirements?
- A. Create an Amazon EventBridge rule to notify the security team when a user logs into an EC2 instance. Use EC2 Instance Connect to log in to the instance. Deploy the Auto Scaling group using AWS CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routing for external access. Rebuild the custom AMI to include the AWS Systems Manager Agent.
- B. Deploy a NAT gateway and an internet-facing bastion host. Create a security group allowing inbound traffic from the bastion host to all EC2 instances. Install the AWS Systems Manager Agent on all EC2 instances. Use Auto Scaling group lifecycle hooks to monitor and audit access. Use Systems Manager Session Manager to log in to instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon S3 for auditing. Use S3 event notifications to notify the security team.
- C. Rebuild the custom AMI using EC2 Image Builder. Include the latest version of the AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send messages to an Amazon Simple Notification Service (Amazon SNS) topic for the security team. ✓
- D. Use AWS Systems Manager Automation to build the Systems Manager Agent into the custom AMI. Configure AWS Config to attach a service control policy (SCP) to the root organizational unit to allow EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send messages to an Amazon Simple Notification Service (Amazon SNS) topic for the security team.
Correct Answer: C. Rebuild the custom AMI using EC2 Image Builder. Include the latest version of the AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send messages to an Amazon Simple Notification Service (Amazon SNS) topic for the security team.
Explanation
Option C is the correct solution. First, rebuilding the custom AMI using EC2 Image Builder and including the latest version of the AWS Systems Manager Agent ensures availability of systems management capabilities. Second, configuring the Auto Scaling group to attach the AmazonSSMManagedInstanceCore IAM role to all EC2 instances provides the necessary permissions for subsequent management operations. Third, using Systems Manager Session Manager enables centralized, automated, and secure access to instances. Fourth, enabling session detail logging to Amazon S3 and configuring S3 event notifications via an Amazon SNS topic satisfies the requirement that the security team receives notifications upon access. Collectively, Option C fulfills all stated requirements.