AWS Certified SysOps Administrator – Associate — Question 454

A SysOps administrator maintains the security and compliance of a company's AWS account. To ensure the company's Amazon EC2 instances are following company policy, a SysOps administrator wants to terminate any EC2 instance that do not contain a department tag. Noncompliant resources must be terminated in near-real time.
Which solution will meet these requirements?

Answer options

• A. Create an AWS Config rule with the required-tags managed rule to identify noncompliant resources. Configure automatic remediation to run the AWS- TerminateEC2Instance automation document to terminate noncompliant resources.
• B. Create a new Amazon EventBridge (Amazon CloudWatch Events) rule to monitor when new EC2 instances are created. Send the event to a Simple Notification Service (Amazon SNS) topic for automatic remediation.
• C. Ensure all users who can create EC2 instances also have the permissions to use the ec2:CreateTags and ec2:DescribeTags actions. Change the instance's shutdown behavior to terminate.
• D. Ensure AWS Systems Manager Compliance is configured to manage the EC2 instances. Call the AWS-StopEC2Instances automation document to stop noncompliant resources.

Correct answer: A

Explanation

AWS Config allows for the continuous monitoring of resource configurations against desired settings, such as checking for specific tags via the required-tags managed rule. By pairing this rule with automatic remediation using the AWS-TerminateEC2Instance Systems Manager automation document, noncompliant instances can be terminated in near-real time. The other options are incorrect because Amazon SNS cannot directly remediate resources without a computing service like Lambda, changing IAM permissions does not actively enforce tag presence, and stopping instances via Systems Manager does not meet the requirement to terminate them.