Q63 — AWS DOP-C02 Ch.3
Question 63 of 100 | ← Chapter 3
A company has a policy requiring every Amazon EC2 instance to launch from an AMI created by its security team. Each week, the security team emails the development team a release note listing the latest approved AMI IDs. Development teams use AWS CloudFormation to deploy their applications. When launching a new service, developers manually search the email for the latest AMI ID. A DevOps engineer wants to automate the process of delivering AMI IDs from the security team to development teams. What is the most scalable solution to meet these requirements?
- A. Instruct the security team to use CloudFormation to create new AMI versions and list AMI ARNs in an encrypted Amazon S3 object as part of stack outputs. Instruct developers to use cross-stack references to load the encrypted S3 object and retrieve the latest AMI ID.
- B. Instruct the security team to use a CloudFormation stack to create an AWS CodePipeline that builds new AMIs and stores the latest AMI ARNs in an encrypted Amazon S3 object as pipeline output. Instruct developers to use cross-stack references in their own CloudFormation templates to fetch the S3 object location and latest AMI ARNs.
- C. Instruct the security team to use Amazon EC2 Image Builder to create new AMIs and store AMI ARNs as parameters in AWS Systems Manager Parameter Store. Instruct developers to specify an SSM parameter type in their CloudFormation stacks to retrieve the latest AMI ARNs from Parameter Store. ✓
- D. Instruct the security team to use Amazon EC2 Image Builder to create new AMIs and create an Amazon Simple Notification Service (Amazon SNS) topic so each development team receives notifications. When teams receive notifications, instruct them to write an AWS Lambda function to update their CloudFormation stacks with the latest AMI ARNs.
Correct Answer: C. Instruct the security team to use Amazon EC2 Image Builder to create new AMIs and store AMI ARNs as parameters in AWS Systems Manager Parameter Store. Instruct developers to specify an SSM parameter type in their CloudFormation stacks to retrieve the latest AMI ARNs from Parameter Store.
Explanation
Amazon EC2 Image Builder is the AWS-recommended, fully managed service for building, validating, and distributing secure, compliant AMIs. AWS Systems Manager Parameter Store provides secure, scalable, versioned, and auditable storage for configuration data like AMI IDs. CloudFormation natively supports referencing SSM parameters via the 'SSM' parameter type—enabling automatic, dynamic resolution of the latest value at stack creation/update time. This eliminates manual lookups, custom Lambda functions, cross-stack dependencies, or S3 access patterns—reducing complexity and operational overhead. Option C aligns with AWS best practices for infrastructure-as-code and dynamic parameter management.