AWS Certified SysOps Administrator – Associate — Question 471

A company has a policy that requires all Amazon EC2 instances to have a specific set of tags. If an EC2 instance does not have the required tags, the noncompliant instance should be terminated.
What is the MOST operationally efficient solution that meets these requirement?

Answer options

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all EC2 instance state changes to an AWS Lambda function to determine if each instance is compliant. Terminate any noncompliant instances.
• B. Create an IAM policy that enforces all EC2 instance tag requirements. If the required tags are not in place for an instance, the policy will terminate noncompliant instance.
• C. Create an AWS Lambda function to determine if each EC2 instance is compliant and terminate an instance if it is noncompliant. Schedule the Lambda function to invoke every 5 minutes.
• D. Create an AWS Config rule to check if the required tags are present. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.

Correct answer: D

Explanation

AWS Config is designed to continuously monitor resource configurations and evaluate compliance against defined rules, offering built-in remediation via AWS Systems Manager Automation to terminate noncompliant EC2 instances with minimal operational overhead. Options A and C require writing, maintaining, and executing custom AWS Lambda code, which increases operational complexity. Option B is incorrect because IAM policies are used for access control and cannot actively monitor resources or execute automated termination workflows based on compliance state.