AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 317
A company uses AWS Systems Manager to manage a fleet of Amazon Linux EC2 instances that have SSM Agent installed. All EC2 instances are configured to use Instance Metadata Service Version 2 (IMDSv2) and are running in the same AWS account and AWS Region. Company policy requires developers to use only Amazon Linux.
The company wants to ensure that all new EC2 instances are automatically managed by Systems Manager after creation.
Which solution will meet these requirements with the MOST operational efficiency?
Answer options
- A. Create an IAM role that has a trust policy that allows Systems Manager to assume the role. Attach the AmazonSSMManagedEC2InstanceDefaultPolicy policy to the role. Configure the default-ec2-instance-management-role SSM service setting to use the role.
- B. Ensure that AWS Config is set up. Create an AWS Config rule that validates if an EC2 instance has SSM Agent installed. Configure the rule to run on EC2 configuration changes. Configure automatic remediation for the rule to run the AWS-InstallSSMAgent SSM document to install SSM Agent.
- C. Configure Systems Manager Patch Manager. Create a patch baseline that automatically installs SSM Agent on all new EC2 instances. Create a patch group for all EC2 instances. Attach the patch baseline to the patch group. Create a maintenance window and maintenance window task to start installing SSM Agent daily.
- D. Create an EC2 instance role that has a trust policy that allows Amazon EC2 to assume the role. Attach the AmazonSSMManagedInstanceCore policy to the role. Ensure that AWS Config is set up. Use the ec2-instance-profile-attached managed AWS Config rule to validate if an EC2 instance has the role attached. Configure the rule to run on EC2 configuration changes. Configure automatic remediation for the rule to run the AWS-SetupManagedRoleOnEc2Instance SSM document to attach the role to the EC2 instance.
Correct answer: A
Explanation
Option A is correct because Default Host Management Configuration (DHMC) allows Systems Manager to automatically manage EC2 instances in an account and Region without needing individual instance profile configurations, providing the highest operational efficiency. Because the Amazon Linux instances already have the SSM Agent pre-installed and use IMDSv2, DHMC works seamlessly once the default-ec2-instance-management-role is configured with the AmazonSSMManagedEC2InstanceDefaultPolicy. Options B, C, and D are incorrect as they introduce unnecessary operational overhead through AWS Config rules, remediation scripts, or Patch Manager tasks for an agent that is already present.