Which action should a SysOps Administrator recommend?
Create a custom report using AWS Systems Manager Inventory to identify unapproved AMIs
Run Amazon Inspector on all EC2 instances and flag instances using unapproved AMIs
Use an AWS Config rule to identify unapproved AMIs
Use AWS Trusted Advisor to identify EC2 workloads using unapproved AMIs
Explanations:
While AWS Systems Manager Inventory can provide information about EC2 instances, it does not specifically filter for unapproved AMIs, requiring additional manual effort to correlate results with a list of approved AMIs.
Amazon Inspector focuses on security assessments and compliance checks for vulnerabilities rather than directly identifying unapproved AMIs. Therefore, it may not be effective for this specific requirement.
AWS Config can be configured with custom rules to evaluate the compliance of resources, including EC2 instances using specific AMIs. This is the most effective method to automate the identification of unapproved AMIs.
AWS Trusted Advisor provides best practice recommendations but does not specifically monitor or identify unapproved AMIs. It may highlight underutilized resources but lacks the targeted compliance checks necessary for AMI approval status.
I deduce that the answer is:
Use an AWS Config rule to identify unapproved AMIs