Q63 — AWS DOP-C02 Ch.3

Question 63 of 100 | ← Chapter 3

A company has a policy requiring every Amazon EC2 instance to launch from an AMI created by its security team. Each week, the security team emails the development team a release note listing the latest approved AMI IDs. Development teams use AWS CloudFormation to deploy their applications. When launching a new service, developers manually search the email for the latest AMI ID. A DevOps engineer wants to automate the process of delivering AMI IDs from the security team to development teams. What is the most scalable solution to meet these requirements?

Correct Answer: C. Instruct the security team to use Amazon EC2 Image Builder to create new AMIs and store AMI ARNs as parameters in AWS Systems Manager Parameter Store. Instruct developers to specify an SSM parameter type in their CloudFormation stacks to retrieve the latest AMI ARNs from Parameter Store.

Explanation

Amazon EC2 Image Builder is the AWS-recommended, fully managed service for building, validating, and distributing secure, compliant AMIs. AWS Systems Manager Parameter Store provides secure, scalable, versioned, and auditable storage for configuration data like AMI IDs. CloudFormation natively supports referencing SSM parameters via the 'SSM' parameter type—enabling automatic, dynamic resolution of the latest value at stack creation/update time. This eliminates manual lookups, custom Lambda functions, cross-stack dependencies, or S3 access patterns—reducing complexity and operational overhead. Option C aligns with AWS best practices for infrastructure-as-code and dynamic parameter management.