Q49 — AWS DOP-C02 Ch.3
Question 49 of 100 | ← Chapter 3
A company operates a data ingestion application across multiple AWS accounts within an organization in AWS Organizations. The company needs to monitor the application and consolidate access to it. Currently, the application runs on Amazon EC2 instances across multiple Auto Scaling groups. The EC2 instances cannot access the internet because the data is sensitive. Engineers have deployed required VPC endpoints. The EC2 instances run a custom AMI built specifically for the application.
- A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team when users log in to EC2 instances. Use EC2 Instance Connect to log in to instances. Use AWS CloudFormation to deploy the Auto Scaling group. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI to include the AWS Systems Manager Agent.
- B. Deploy a NAT gateway and an internet-facing bastion host. Create a security group allowing inbound traffic from the bastion host to all EC2 instances. Install the AWS Systems Manager Agent on all EC2 instances. Use Auto Scaling group lifecycle hooks to monitor and audit access. Use Systems Manager Session Manager to log in to instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon S3 for auditing. Use S3 event notifications to send alerts to the security team.
- C. Rebuild the custom AMI using EC2 Image Builder. Include the latest version of the AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore role to all EC2 instances. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create S3 notifications for new file uploads to send messages via an Amazon Simple Notification Service (Amazon SNS) topic to the security team.
- D. Use AWS Systems Manager Automation to build the Systems Manager Agent into the custom AMI. Configure AWS Config to attach a Service Control Policy (SCP) to the root organizational unit to allow EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create S3 notifications for new file uploads to send messages via an Amazon Simple Notification Service (Amazon SNS) topic to the security team. ✓
Correct Answer: D. Use AWS Systems Manager Automation to build the Systems Manager Agent into the custom AMI. Configure AWS Config to attach a Service Control Policy (SCP) to the root organizational unit to allow EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to instances. Enable logging of session details to Amazon S3. Create S3 notifications for new file uploads to send messages via an Amazon Simple Notification Service (Amazon SNS) topic to the security team.
Explanation
Option D satisfies the requirements by providing a comprehensive solution: integrating the Systems Manager Agent into the custom AMI, using Systems Manager Session Manager for secure instance access, logging session details to Amazon S3, and sending notifications to the security team via Amazon SNS. This enables automated, centrally controlled access to EC2 instances while ensuring security teams receive timely notifications. Other options either omit critical components or violate constraints—such as requiring internet access (violating the no-internet requirement) or lacking SCP enforcement for cross-account governance.