What steps should the Engineer take to meet this requirement with the LEAST administrative overhead?
Use AWS Systems Manager Configuration Compliance. Use calls to the put-compliance-items API action to scan and build a database of noncompliant EC2 instances based on their host placement configuration. Use an Amazon DynamoDB table to store these instance IDs for fast access. Generate a report through Systems Manager by calling the list-compliance-summaries API action.
Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for the instance depending on the number of instances to be checked. Send the list of noncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instance to process instance IDs from the SQS queue and write them to Amazon DynamoDB. Use an AWS Lambda function to terminate noncompliant instance IDs obtained from the queue, and send them to an Amazon SNS email topic for distribution.
Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recording on all Amazon EC2 resources for the region. Create a custom AWS Config rule that triggers an AWS Lambda function by using the ג€config-rule-change-triggeredג€ blueprint. Modify the Lambda evaluateCompliance() function to verify host placement to return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use the AWS Config report to address noncompliant instances.
Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls to the EC2 RunCommand API action. Invoke an AWS Lambda function that analyzes the host placement of the instance. Store the EC2 instance ID of noncompliant resources in an Amazon RDS MySQL DB instance. Generate a report by querying the RDS instance and exporting the query results to a CSV text file.
Explanations:
While AWS Systems Manager Configuration Compliance can check compliance, it requires manual setup of compliance items and API calls, which introduces additional overhead compared to other options. Furthermore, using a DynamoDB table for storage is not as efficient or straightforward as AWS Config, which directly integrates with compliance checking.
This option involves writing custom Java code and setting up EC2 Auto Scaling, which adds significant administrative overhead. The complexity of managing SQS queues, worker instances, and Lambda functions for termination and notification is unnecessarily complicated compared to using a built-in AWS service.
AWS Config provides an efficient way to monitor compliance with specific rules, including host placement. By enabling Config Recording and creating a custom rule with a Lambda function, the process is automated and requires minimal ongoing maintenance. The built-in reporting features of AWS Config simplify compliance reporting, making this the least administratively burdensome option.
AWS CloudTrail logs API calls but does not directly provide compliance monitoring. The proposed solution involves analyzing logs and invoking Lambda functions, leading to complex and potentially slow processes. Storing data in RDS also adds management overhead compared to the direct integration and reporting capabilities of AWS Config.