AWS Certified Security – Specialty — Question 54

The InfoSec team has mandated that in the future only approved Amazon Machine Images (AMIs) can be used.
How can the InfoSec team ensure compliance with this mandate?

Answer options

• A. Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
• B. Patch all running instances by using AWS Systems Manager.
• C. Deploy AWS Config rules and check all running instances for compliance.
• D. Define a metric filter in Amazon CloudWatch Logs to verify compliance.

Correct answer: C

Explanation

The correct answer is C because deploying AWS Config rules allows for continuous monitoring and compliance checks of all running instances against the approved AMIs. Option A is incorrect as terminating and relaunching instances is not a sustainable compliance solution. Option B does not ensure that only approved AMIs are used, and option D, while useful for monitoring, does not provide a comprehensive compliance verification method.