Q34 — AWS DOP-C02 Ch.3
Question 34 of 100 | ← Chapter 3
A healthcare services company is concerned about escalating software licensing costs for applications that monitor patient health conditions. The company wants to create an audit process to ensure these applications run only on Amazon EC2 Dedicated Hosts. A DevOps engineer needs to build an automated workflow to audit the applications and ensure compliance. What steps should the engineer take to meet this requirement with minimal management overhead?
- A. Use AWS Systems Manager Compliance. Use calls to the put-compliance-items API operation to scan and build a database of noncompliant EC2 instances based on host placement configuration. Store these instance IDs in an Amazon DynamoDB table for fast access. Generate reports via Systems Manager by calling the list-compliance-summaries API operation.
- B. Use custom Java code running on EC2 instances. Set up EC2 Auto Scaling based on the number of instances to check. Send a list of noncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instance to process instance IDs from the SQS queue and write them to Amazon DynamoDB. Use an AWS Lambda function to terminate noncompliant instances retrieved from the queue and send notifications to an Amazon SNS email topic.
- C. Use AWS Config. Enable configuration recording for all Amazon EC2 resources in the region to identify all EC2 instances to be audited. Create a custom AWS Config rule using the 'config-rule-change-trigger' blueprint to invoke an AWS Lambda function. Modify the Lambda evaluateCompliance() function to verify host placement, returning a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use AWS Config reports to address noncompliant instances. ✓
- D. Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls to the EC2 RunCommand API operation. Invoke an AWS Lambda function to analyze the instance's host placement. Store the EC2 instance IDs of noncompliant resources in an Amazon RDS for MySQL DB instance. Generate reports by querying the RDS instance and exporting results to a CSV text file.
Correct Answer: C. Use AWS Config. Enable configuration recording for all Amazon EC2 resources in the region to identify all EC2 instances to be audited. Create a custom AWS Config rule using the 'config-rule-change-trigger' blueprint to invoke an AWS Lambda function. Modify the Lambda evaluateCompliance() function to verify host placement, returning a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use AWS Config reports to address noncompliant instances.
Explanation
AWS Config continuously monitors EC2 resource configurations and automatically triggers a Lambda function via a custom rule to validate whether instances are deployed on Dedicated Hosts. Noncompliant instances are flagged and reported by AWS Config without requiring additional infrastructure. Option A relies on manual API calls and database management, increasing complexity. Option B involves custom code and multi-service integration, resulting in high maintenance overhead. Option D depends on CloudTrail log analysis, which is inefficient and cumbersome. AWS Config’s built-in compliance checking mechanism satisfies the minimal management overhead requirement.