A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single…

Question

A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. The company launches and terminates new EC2 instances every hour. The account includes existing EC2 instances that have been running for longer than a week. The company's security policy requires all running EC2 instances to have an EC2 instance profile attached. The company has created a default EC2 instance profile. The default EC2 instance profile must be attached to any EC2 instances that do not have a profile attached. Which solution will meet these requirements?

Accepted Answer

Correct answer: B. B. Configure AWS Config. Deploy an AWS Config ec2-instance-profile-attached managed rule. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances. — AWS Config can evaluate both existing and newly launched EC2 instances using the 'ec2-instance-profile-attached' managed rule, and then automatically remediate non-compliant instances using a Systems Manager Automation runbook. EventBridge-based solutions (Options A and C) only trigger on new API calls and would miss the existing instances that have been running for over a week. Option D uses the incorrect AWS Config managed rule, which checks IAM roles rather than EC2 instance profiles.

AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 337

Answer options

Correct answer: B

Explanation