DOP-C02 Question #128: Real Exam Question with Answer & Explanation

Question

A company has a data ingestion application that runs across multiple AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application. To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company's security team must receive a notification whenever the instances are accessed. Which solution will meet these requirements?

Options

• ACreate an Amazon EventBridge rule to send notifications to the security team whenever a user logs in
• BDeploy a NAT gateway and a bastion host that has internet access. Create a security group that
• CUse EC2 Image Builder to rebuild the custom AMI. Include the most recent version of AWS Systems
• DUse AWS Systems Manager Automation to build Systems Manager Agent into the custom AMI.

Explanation

By using EC2 Image Builder to rebuild the custom AMI and including the most recent version of AWS Systems Manager Agent in the image, you can configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore role to all the EC2 instances. This allows you to use Systems Manager Session Manager to log in to the instances. You can enable logging of session details to Amazon S3 and create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS).

No community discussion yet for this question.