Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region.New EC2 instances are launched and terminated each hour in the account.The account also includes existing EC2 instances that have been running for longer than a week.The company’s security policy requires all running EC2 instances to use an EC2 instance profile.If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile.During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.

Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an AWS Lambda function to attach the default instance profile to the EC2 instances.

Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

Configure an Amazon EventBridge rule that reacts to EC2 StartInstances API calls. Configure the rule to invoke an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances

Configure the iam-role-managed-policy-check AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Lambda function to attach the default instance profile to the EC2 instances.

Explanations:

This option reacts to EC2 RunInstances API calls, which means it only attaches the instance profile at launch time. It does not address existing EC2 instances that are already running without an instance profile, hence it does not provide a comprehensive solution.

The ec2-instance-profile-attached AWS Config managed rule ensures compliance by checking all EC2 instances for attached instance profiles. It triggers remediation actions to attach the default instance profile if any instances are found without one, thus ensuring both existing and future instances comply with the policy.

This option responds to EC2 StartInstances API calls, which means it only attaches the instance profile when an instance is started. It does not address instances that are already running without an instance profile and does not guarantee compliance for new instances launched in a stopped state.

The iam-role-managed-policy-check AWS Config rule is focused on IAM roles and managed policies rather than instance profiles. This option would not ensure that EC2 instances have an instance profile attached, making it unsuitable for the requirements.

2025-10-11

1 Comment

  1. Isaac
    Author

    I scheme that the answer is:
    Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.

Leave a Reply

Your email address will not be published. Required fields are marked *

18 − five =