What steps should the engineer take to meet this requirement with the LEAST administrative overhead?
Use AWS Systems Manager Configuration Compliance. Use calls to the put-compliance-items API action to scan and build a database of noncompliant EC2 instances based on their host placement configuration. Use an Amazon DynamoDB table to store these instance IDs for fast access. Generate a report through Systems Manager by calling the list-compliance-summaries API action.
Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for the instance depending on the number of instances to be checked. Send the list of noncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instance to process instance IDs from the SQS queue and write them to Amazon DynamoDUse an AWS Lambda function to terminate noncompliant instance IDs obtained from the queue, and send them to an Amazon SNS email topic for distribution.
Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recording on all Amazon EC2 resources for the region. Create a custom AWS Config rule that triggers an AWS Lambda function by using the “config-rule-change -triggered” blueprint. Modify the Lambda evaluateCompliance() function to verify host placement to return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use the AWS Config report to address noncompliant instances.
Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls to the EC2 RunCommand API action. Invoke an AWS Lambda function that analyzes the host placement of the instance. Store the EC2 instance ID of noncompliant resources in an Amazon RDS for MySQL DB instance. Generate a report by querying the RDS instance and exporting the query results to a CSV text file.
Explanations:
While AWS Systems Manager can be used for compliance checks, the approach of using the put-compliance-items API to build a database of noncompliant instances introduces unnecessary complexity and overhead. It requires manual intervention to store compliance data in DynamoDB and generate reports, which is not the most efficient method for ongoing audits.
This option involves writing custom Java code and managing EC2 instances for auditing, which adds significant administrative overhead. The complexity of setting up EC2 Auto Scaling, SQS for messaging, and additional worker instances complicates the process and is not efficient for compliance auditing.
AWS Config is specifically designed for compliance auditing and monitoring configurations of AWS resources. By enabling Config Recording and creating a custom rule, the engineer can efficiently track EC2 instances’ host placements and automatically assess compliance with minimal ongoing management required. The integration with Lambda for real-time compliance checks streamlines the auditing process.
Using AWS CloudTrail to analyze EC2 RunCommand API actions for auditing introduces unnecessary complexity, as CloudTrail is primarily for logging and monitoring API calls rather than compliance checks. This method requires additional Lambda functions and an RDS database for tracking noncompliant instances, which adds administrative overhead without providing direct compliance enforcement.
I deduce that the answer is:
Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recording on all Amazon EC2 resources for the region. Create a custom AWS Config rule that triggers an AWS Lambda function by using the “config-rule-change -triggered” blueprint. Modify the Lambda evaluateCompliance() function to verify host placement to return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host. Use the AWS Config report to address noncompliant instances.