Q86 — AWS DOP-C02 Ch.3

Question 86 of 100 | ← Chapter 3

A company operates an AWS account running hundreds of Amazon EC2 instances in one AWS Region. The account launches and terminates new EC2 instances daily. The account also includes existing EC2 instances that have been running for over a week. Company security policy requires all running EC2 instances to use EC2 instance profiles. If an EC2 instance launches without an instance profile, it must use the default instance profile with no assigned IAM permissions. A DevOps engineer reviewed the account and found EC2 instances running without attached instance profiles. During the review period, the engineer observed new EC2 instances launching without instance profiles. Which solution ensures instance profiles are attached to all currently running and future EC2 instances in the Region?

Correct Answer: B. Configure the `ec2-instance-profile-attached` AWS Config managed rule with a configuration change trigger type. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instance.

Explanation

AWS Config continuously monitors resource compliance and triggers automated remediation. The `ec2-instance-profile-attached` managed rule detects whether EC2 instances have attached instance profiles; configuring automatic remediation with Systems Manager Automation ensures correction. Option B leverages AWS Config for real-time monitoring and Systems Manager for reliable, idempotent remediation—covering both existing and newly launched instances consistently. Options A and C rely on EventBridge, which may miss instances launched outside standard APIs (e.g., via console or CLI without explicit RunInstances) and lack persistent compliance tracking. Option D uses an irrelevant managed rule and Lambda, which lacks built-in retry and error handling compared to Systems Manager Automation.