A company has a single flaws account that runs hundreds of Amazon EC2 instances in a single flaws Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an flaws Lambda function to attach the default instance profile to the EC2 instances.

B. Configure the ec2-instance-profile-attached flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that reacts to EC2 Startlnstances API calls. Configure the rule to invoke an flaws Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

D. Configure the iam-role-managed-policy-check flaws Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an flaws Lambda function to attach the default instance profile to the EC2 instances.








 

Correct Answer: D

This question is in DOP-C01 exam
For getting AWS DevOps Engineer - Professional Certificate