A company has a requirement that only allows specially hardened AMIs to be launched into…

Question

A company has a requirement that only allows specially hardened AMIs to be launched into public subnets in a VPC, and for the AMIs to be associated with a specific security group. Allowing non-compliant instances to launch into the public subnet could present a significant security risk if they are allowed to operate.
A mapping of approved AMIs to subnets to security groups exists in an Amazon DynamoDB table in the same AWS account. The company created an AWS
Lambda function that, when invoked, will terminate a given Amazon EC2 instance if the combination of AMI, subnet, and security group are not approved in the
DynamoDB table.
What should the Solutions Architect do to MOST quickly mitigate the risk of compliance deviations?

Accepted Answer

Correct answer: D. D. Create an Amazon CloudWatch Events rule that matches each time an EC2 instance is launched, and associate it with the Lambda function as the target. — Triggering an Amazon CloudWatch Events (or EventBridge) rule on any EC2 instance launch provides near-real-time invocation of the Lambda function, allowing it to immediately evaluate and terminate non-compliant instances. Option A is incorrect because filtering only for allowed AMIs would fail to capture and terminate instances launched with unapproved AMIs, which represent the actual security risk. Options B and C rely on AWS CloudTrail, which introduces operational latency and is not fast enough to prevent non-compliant instances from running for several minutes.

AWS Certified Solutions Architect – Professional — Question 918

Answer options

Correct answer: D

Explanation