Learn how to use Amazon EventBridge and Amazon SQS to collect and process EC2 instance lifecycle events from multiple AWS accounts. Compare different solutions and find out which one meets your requirements.
Table of Contents
Question
A company is running Amazon EC2 instances in multiple AWS accounts. A developer needs to implement an application that collects all the lifecycle events of the EC2 instances. The application needs to store the lifecycle events in a single Amazon Simple Queue Service (Amazon SQS) queue in the company’s main AWS account for further processing.
Which solution will meet these requirements?
A. Configure Amazon EC2 to deliver the EC2 instance lifecycle events from all accounts to the Amazon EventBridge event bus of the main account. Add an EventBridge rule to the event bus of the main account that matches all EC2 instance lifecycle events. Add the SQS queue as a target of the rule.
B. Use the resource policies of the SQS queue in the main account to give each account permissions to write to that SQS queue. Add to the Amazon EventBridge event bus of each account an EventBridge rule that matches all EC2 instance lifecycle events. Add the SQS queue in the main account as a target of the rule.
C. Write an AWS Lambda function that scans through all EC2 instances in the company accounts to detect EC2 instance lifecycle changes. Configure the Lambda function to write a notification message to the SQS queue in the main account if the function detects an EC2 instance lifecycle change. Add an Amazon EventBridge scheduled rule that invokes the Lambda function every minute.
D. Configure the permissions on the main account event bus to receive events from all accounts. Create an Amazon EventBridge rule in each account to send all the EC2 instance lifecycle events to the main account event bus. Add an EventBridge rule to the main account event bus that matches all EC2 instance lifecycle events. Set the SQS queue as a target for the rule.
Answer
B. Use the resource policies of the SQS queue in the main account to give each account permissions to write to that SQS queue. Add to the Amazon EventBridge event bus of each account an EventBridge rule that matches all EC2 instance lifecycle events. Add the SQS queue in the main account as a target of the rule.
Explanation
The correct answer is B. Use the resource policies of the SQS queue in the main account to give each account permissions to write to that SQS queue. Add to the Amazon EventBridge event bus of each account an EventBridge rule that matches all EC2 instance lifecycle events. Add the SQS queue in the main account as a target of the rule.
To implement an application that collects all the lifecycle events of the EC2 instances in multiple AWS accounts, the developer can use Amazon EventBridge and Amazon SQS. Amazon EventBridge is a service that enables you to connect your applications with data from a variety of sources. Amazon SQS is a service that provides a fully managed message queue for storing messages as they travel between applications or microservices.
To use EventBridge and SQS to collect EC2 instance lifecycle events, the developer can follow these steps:
- Create an SQS queue in the main AWS account and configure its resource policy to allow other AWS accounts to send messages to it. The resource policy is a JSON document that defines who can access the queue and what actions they can perform. The developer can use the Principal element to specify the other accounts or IAM roles that are allowed to send messages to the queue.
- Create an EventBridge rule in each AWS account that matches all EC2 instance lifecycle events. The rule is a set of conditions that determine which events are routed to which targets. The developer can use the Source element to specify “aws.ec2” as the source of the events, and the DetailType element to specify “EC2 Instance State-change Notification” as the type of the events.
- Add the SQS queue in the main AWS account as a target of the rule. The target is where EventBridge sends events that match the rule. The developer can use the Arn element to specify the Amazon Resource Name (ARN) of the SQS queue.
This solution will meet the requirements because:
- It will collect all EC2 instance lifecycle events from multiple AWS accounts and store them in a single SQS queue for further processing.
- It will encrypt the lifecycle events at rest and in transit using AWS Key Management Service (AWS KMS) keys, which provide security and encryption for your data.
- It will have minimal management overhead because it uses fully managed services that scale automatically with your workload.
Option A is incorrect because configuring Amazon EC2 to deliver EC2 instance lifecycle events from all accounts to the Amazon EventBridge event bus of the main account is not possible. Amazon EC2 does not have a built-in feature to send events to EventBridge. The developer has to create an EventBridge rule in each account to capture and forward EC2 instance lifecycle events.
Option C is incorrect because writing an AWS Lambda function that scans through all EC2 instances in the company accounts to detect EC2 instance lifecycle changes is not efficient or scalable. AWS Lambda is a service that lets you run code without provisioning or managing servers. You can use Lambda to create serverless applications or to run code in response to events. However, Lambda is not suitable for scanning through all EC2 instances periodically, because:
- It will incur unnecessary costs and latency by invoking Lambda functions every minute regardless of whether there are any lifecycle changes or not.
- It will require custom logic and permissions to access and query all EC2 instances across multiple accounts, which adds complexity and overhead.
- It will not capture real-time lifecycle changes, but only those that occur within the one-minute interval, which might result in missing or delayed notifications.
Option D is incorrect because configuring the permissions on the main account event bus to receive events from all accounts is not enough to collect EC2 instance lifecycle events. The developer also has to create an EventBridge rule in each account to send all EC2 instance lifecycle events to the main account event bus. Otherwise, no events will be forwarded from other accounts.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
