Q99 — AWS DOP-C02 Ch.3

Question 99 of 100 | ← Chapter 3

A company uses Amazon EC2 instances as its primary compute platform. A developer team wants to audit the company’s EC2 instances to check whether any prohibited applications are installed on them. Which solution meets this requirement most efficiently?

Correct Answer: B. Configure AWS Systems Manager on each instance. Use Systems Manager Inventory to create an AWS Config rule that monitors changes to Systems Manager Inventory data to identify prohibited applications.

Explanation

AWS Systems Manager Inventory collects software inventory data from EC2 instances; integrating it with AWS Config enables automated, continuous compliance evaluation. AWS Config rules evaluate resource configurations against defined policies and trigger evaluations upon Inventory updates. Option B creates a Config rule based on Systems Manager Inventory data to detect prohibited applications in real time. Option A relies on manual Lambda processing, Option C uses CloudTrail to track API calls—not application inventory—and Option D requires custom scripting and log analysis, reducing efficiency. This solution aligns with AWS-recommended serverless, automated compliance practices.