Which solution will meet this requirement?
Set up an AWS Config managed rule to check if instances are running from AMIs that are on the list of pre-approved AMIs. Configure an automatic remediation action so that an AWS Systems Manager Automation runbook terminates any instances that are noncompliant with the rule.
Store the list of pre-approved AMIs in an Amazon DynamoDB global table that is replicated to all AWS Regions that the developers use. Create Regional EC2 launch templates. Configure the launch templates to check AMIs against the list and to terminate any instances that are not on the list.
Select the Amazon CloudWatch metric that shows all running instances and the AMIs that the instances were launched from. Create a CloudWatch alarm that terminates an instance if the metric shows the use of an unapproved AMI.
Create a custom Amazon Inspector finding to compare a running instance’s AMI against the list of pre-approved AMIs. Create an AWS Lambda function that terminates instances. Configure Amazon Inspector to report findings of unapproved AMIs to an Amazon Simple Queue Service (Amazon SQS) queue to invoke the Lambda function.
Explanations:
AWS Config can enforce compliance by using a managed rule to check for approved AMIs and can trigger an automated remediation action via an AWS Systems Manager Automation runbook to terminate instances that use unapproved AMIs.
EC2 launch templates can define specific AMIs but cannot enforce termination of instances launched from unapproved AMIs. Also, launch templates themselves lack the ability to perform compliance checks against a DynamoDB list of AMIs.
CloudWatch metrics do not provide direct visibility into AMI IDs of running instances, nor do they support termination actions based on specific conditions, making this option infeasible for automatic instance termination.
Amazon Inspector is designed for vulnerability assessments rather than compliance with specific AMIs. It cannot directly compare AMIs or terminate instances based on AMI compliance, making it unsuitable for this requirement.