Learn the best solution to automatically detect and install required software on EC2 instances across multiple AWS accounts using AWS Config, EventBridge, Systems Manager, and Lambda.
Table of Contents
Question
A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.
A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.
A security engineer must implement a solution that detects EC2 instances that do not have the required software. The solution also must automatically install the software if the software is not present.
Which solution will meet these requirements?
A. Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.
B. Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.
C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts. Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.
D. Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.
Answer
C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts. Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.
Explanation
Here’s why this solution meets the requirements:
- Enabling AWS Config centrally allows you to monitor and evaluate the configuration of EC2 instances across all accounts in the AWS organization. The ec2-managedinstance-applications-required Config rule detects EC2 instances that do not have the required software installed.
- Creating an Amazon EventBridge rule that reacts to AWS Config events allows you to automatically trigger actions when non-compliant EC2 instances are detected. The EventBridge rule is configured to invoke an AWS Lambda function.
- The Lambda function uses AWS Systems Manager Run Command to install the required software on the non-compliant EC2 instances detected by AWS Config. Run Command allows you to remotely and securely manage the configuration of your managed instances at scale.
The other options are incorrect because:
- Option A uses tagged AMIs and Service Control Policies (SCPs) to allow launching only EC2 instances with the required software. However, it does not provide a mechanism to automatically install the software on existing non-compliant instances.
- Option B uses Systems Manager Patch Manager to add the required software to the approved packages list. While this ensures that the software is installed during patching operations, it does not actively detect and remediate non-compliant instances.
- Option D uses Systems Manager Distributor to create a package for the required software and installs it using Run Command. However, it lacks an automated mechanism to detect non-compliant instances and trigger the installation process.
In summary, option C provides a comprehensive solution that leverages AWS Config for detection, EventBridge for automated triggering, and Systems Manager Run Command for software installation, ensuring that all EC2 instances across the organization have the required software installed.
Amazon AWS Certified Security – Specialty SCS-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty SCS-C02 exam and earn Amazon AWS Certified Security – Specialty SCS-C02 certification.