Q34 — AWS DOP-C02 Ch.3

Question 34 of 100 | ← Chapter 3

A healthcare services company is concerned about escalating software licensing costs for applications that monitor patient health conditions. The company wants to create an audit process to ensure these applications run only on Amazon EC2 Dedicated Hosts. A DevOps engineer needs to build an automated workflow to audit the applications and ensure compliance. What steps should the engineer take to meet this requirement with minimal management overhead?

Correct Answer: C. Use AWS Config. Enable configuration recording for all Amazon EC2 resources in the region to identify all EC2 instances to be audited. Create a custom AWS Config rule using the 'config-rule-change-trigger' blueprint to invoke an AWS Lambda function. Modify the Lambda evaluateCompliance() function to verify host placement, returning a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use AWS Config reports to address noncompliant instances.

Explanation

AWS Config continuously monitors EC2 resource configurations and automatically triggers a Lambda function via a custom rule to validate whether instances are deployed on Dedicated Hosts. Noncompliant instances are flagged and reported by AWS Config without requiring additional infrastructure. Option A relies on manual API calls and database management, increasing complexity. Option B involves custom code and multi-service integration, resulting in high maintenance overhead. Option D depends on CloudTrail log analysis, which is inefficient and cumbersome. AWS Config’s built-in compliance checking mechanism satisfies the minimal management overhead requirement.