How can this process be automated?
Create a CloudWatch Logs subscription to an AWS Step Functions application. Configure an AWS Lambda function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a second Lambda function once a day that will terminate all instances with this tag.
Create an Amazon CloudWatch alarm that will be invoked by the login event. Send the notification to an Amazon Simple Notification Service (Amazon SNS) topic that the operations team is subscribed to, and have them terminate the EC2 instance within 24 hours.
Create an Amazon CloudWatch alarm that will be invoked by the login event. Configure the alarm to send to an Amazon Simple Queue Service (Amazon SQS) queue. Use a group of worker instances to process messages from the queue, which then schedules an Amazon EvantBridge rule to be invoked.
Create a CloudWatch Logs subscription in an AWS Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a daily Lambda function that terminates all instances with this tag.
Explanations:
While this option involves automation using Lambda, Step Functions, and EventBridge, it is unnecessarily complex and involves multiple steps, such as invoking a second Lambda function and manually marking instances for decommissioning. This could introduce potential issues with scaling and operational overhead.
This option requires manual intervention from the operations team to terminate the EC2 instance, which does not meet the requirement for automation within 24 hours.
This option suggests using SQS and worker instances to process the login event, but it introduces unnecessary complexity, and doesn’t fully automate the termination process within the required 24-hour timeframe.
This option is the most straightforward solution. It uses CloudWatch Logs, Lambda, and EventBridge to automate the process, ensuring that instances that have been logged into are tagged for decommissioning and terminated automatically within 24 hours.