How can the InfoSec team ensure compliance with this mandate?
Terminate all Amazon EC2 instances and relaunch them with approved AMIs.
Patch all running instances by using AWS Systems Manager.
Deploy AWS Config rules and check all running instances for compliance.
Define a metric filter in Amazon CloudWatch Logs to verify compliance.
Explanations:
Terminating all instances and relaunching them with approved AMIs would be disruptive and time-consuming. It does not provide a continuous compliance check or enforcement mechanism for future instances.
Patching instances does not ensure that they are using approved AMIs. Patching may address vulnerabilities but does not control the source or approval status of the AMI itself.
Deploying AWS Config rules allows for continuous compliance monitoring of EC2 instances. It can check if instances are launched with approved AMIs and alert or remediate any that are not compliant.
Defining a metric filter in CloudWatch Logs may help in monitoring activities but does not directly enforce compliance with approved AMIs. It lacks the capability to automatically check or remediate the state of EC2 instances.
I figure that the answer is:
Deploy AWS Config rules and check all running instances for compliance.