Which method enforces the required controls with the LEAST impact on the development process?
(Choose two.)
Use IAM policies to restrict the ability of users or other automated entities to launch EC2 instances based on a specific set of pre-approved AMIs, such as those tagged in a specific way by Information Security.
Use regular scans within Amazon Inspector with a custom assessment template to determine if the EC2 instance that the Amazon Inspector Agent is running on is based upon a pre-approved AMI. If it is not, shut down the instance and inform Information Security by email that this occurred.
Only allow launching of EC2 instances using a centralized DevOps team, which is given work packages via notifications from an internal ticketing system. Users make requests for resources using this ticketing tool, which has manual information security approval steps to ensure that EC2 instances are only launched from approved AMIs.
Use AWS Config rules to spot any launches of EC2 instances based on non-approved AMIs, trigger an AWS Lambda function to automatically terminate the instance, and publish a message to an Amazon SNS topic to inform Information Security that this occurred.
Use a scheduled AWS Lambda function to scan through the list of running instances within the virtual private cloud (VPC) and determine if any of these are based on unapproved AMIs. Publish a message to an SNS topic to inform Information Security that this occurred and then shut down the instance.
Explanations:
IAM policies can be used to restrict launching EC2 instances to specific AMIs based on tags. This approach allows the Development team to continue their agile processes while ensuring compliance with security requirements, as IAM policies can be implemented without manual intervention and can be applied automatically during instance launches.
While Amazon Inspector can help identify non-approved AMIs, the method described involves a reactive approach where instances are shut down after launch, which could interrupt the agile CI/CD process. This does not enforce proactive controls at the time of instance launch, leading to potential development delays.
This method involves a centralized DevOps team and manual approval processes, which would introduce significant delays and bottlenecks in the development process, contradicting the agile principles of rapid iteration and deployment.
AWS Config rules can actively monitor EC2 instance launches and automatically terminate any instances that are not based on approved AMIs. This method is proactive, ensuring that only compliant instances are running without manual intervention, thus minimizing disruption to the development workflow.
Similar to option B, this method relies on scheduled scans to identify and reactively shut down unapproved instances. This would not prevent non-compliance from occurring at launch, potentially disrupting development workflows and failing to enforce real-time controls.
As I see it, the answer is:
Use IAM policies to restrict the ability of users or other automated entities to launch EC2 instances based on a specific set of pre-approved AMIs, such as those tagged in a specific way by Information Security.