What is the MOST operationally efficient solution that meets these requirement?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all EC2 instance state changes to an AWS Lambda function to determine if each instance is compliant. Terminate any noncompliant instances.
Create an IAM policy that enforces all EC2 instance tag requirements. If the required tags are not in place for an instance, the policy will terminate noncompliant instance.
Create an AWS Lambda function to determine if each EC2 instance is compliant and terminate an instance if it is noncompliant. Schedule the Lambda function to invoke every 5 minutes.
Create an AWS Config rule to check if the required tags are present. If an EC2 instance is noncompliant, invoke an AWS Systems Manager Automation document to terminate the instance.
Explanations:
While using Amazon EventBridge to trigger a Lambda function could help identify noncompliant instances, it relies on instance state changes, which may not capture instances missing tags at all times. This solution may not be as proactive and efficient as needed for continuous compliance checks.
IAM policies cannot directly terminate EC2 instances. IAM is focused on permissions and access control, and although it can enforce tag requirements at the time of instance creation, it does not handle existing instances or automatically terminate noncompliant ones.
Although this option schedules a Lambda function to check compliance every 5 minutes, it is not as efficient as a real-time solution. The function runs on a schedule and may miss instances that become noncompliant between checks, leading to potential compliance issues.
AWS Config can continuously monitor and evaluate the compliance of resources, including EC2 instances and their tags. If a noncompliant instance is detected, it can trigger an automation document via AWS Systems Manager to terminate the instance immediately, ensuring real-time enforcement of the tagging policy and operational efficiency.