Q49 — AWS DOP-C02 Ch.3

Question 49 of 100 | ← Chapter 3

A company operates a data ingestion application across multiple AWS accounts within an organization in AWS Organizations. The company needs to monitor the application and consolidate access to it. Currently, the application runs on Amazon EC2 instances across multiple Auto Scaling groups. The EC2 instances cannot access the internet because the data is sensitive. Engineers have deployed required VPC endpoints. The EC2 instances run a custom AMI built specifically for the application.

Correct Answer: D. Use AWS Systems Manager Automation to build the Systems Manager Agent into the custom AMI. Configure AWS Config to attach a Service Control Policy (SCP) to the root organizational unit to allow EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create S3 notifications for new file uploads to send messages via an Amazon Simple Notification Service (Amazon SNS) topic to the security team.

Explanation

Option D satisfies the requirements by providing a comprehensive solution: integrating the Systems Manager Agent into the custom AMI, using Systems Manager Session Manager for secure instance access, logging session details to Amazon S3, and sending notifications to the security team via Amazon SNS. This enables automated, centrally controlled access to EC2 instances while ensuring security teams receive timely notifications. Other options either omit critical components or violate constraints—such as requiring internet access (violating the no-internet requirement) or lacking SCP enforcement for cross-account governance.