AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 214
A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.
Which combination of steps will meet these requirements? (Choose two.)
Answer options
- A. Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.
- B. Create an SCP that has a Deny statement for the ec2:* action with a condition of "aws:RequestTag/isolation": false.
- C. Attach the SCP to the root of the organization.
- D. Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to add a network ACL. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
- E. Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
Correct answer: A, E
Explanation
Option A is correct because using AWS CloudFormation StackSets allows for the deployment of consistent configurations across multiple accounts. Option E is also correct as it ensures the compromised EC2 instances are isolated by applying a security group with no rules, effectively blocking all traffic. Options B, C, and D do not directly address the requirement for automated isolation in the specified manner.