What should the Solutions Architect do to MOST quickly mitigate the risk of compliance deviations?
Create an Amazon CloudWatch Events rule that matches each time an EC2 instance is launched using one of the allowed AMIs, and associate it with the Lambda function as the target.
For the Amazon S3 bucket receiving the AWS CloudTrail logs, create an S3 event notification configuration with a filter to match when logs contain the ec2:RunInstances action, and associate it with the Lambda function as the target.
Enable AWS CloudTrail and configure it to stream to an Amazon CloudWatch Logs group. Create a metric filter in CloudWatch to match when the ec2:RunInstances action occurs, and trigger the Lambda function when the metric is greater than 0.
Create an Amazon CloudWatch Events rule that matches each time an EC2 instance is launched, and associate it with the Lambda function as the target.
Explanations:
While this option monitors the launching of instances using allowed AMIs, it does not consider all instances launched, regardless of the AMI used. Therefore, it might miss instances that are launched with non-compliant AMIs, potentially leading to security risks.
This option involves using S3 event notifications based on CloudTrail logs, which would introduce delays and additional complexity. It relies on the S3 bucket receiving the logs and may not provide real-time monitoring needed for immediate action.
Although this option uses CloudTrail and metric filters to monitor theec2:RunInstancesaction, it introduces latency since it triggers the Lambda function based on metrics rather than real-time events. This could lead to non-compliant instances running temporarily before the function is invoked.
This option creates a CloudWatch Events rule that triggers immediately when any EC2 instance is launched. This allows the Lambda function to run in real-time to check the AMI, subnet, and security group against the DynamoDB table, enabling prompt termination of any non-compliant instances.