Which solution will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company’s DevOps team manages a set of AWS accounts that are in an organization in AWS Organizations.The company needs a solution that ensures that all Amazon EC2 instances use approved AM Is that the DevOps team manages.The solution also must remediate the usage of AMIs that are not approved.The individual account administrators must not be able to remove the restriction to use approved AMIs.

Which solution will meet these requirements?

Use AWS CloudFormation StackSets to deploy an Amazon EventBridge rule to each account. Configure the rule to react to AWS CloudTrail events for Amazon EC2 and to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps team to the SNS topic.

Use AWS CloudFormation StackSets to deploy the approved-amis-by-id AWS Config managed rule to each account. Configure the rule with the list of approved AMIs. Configure the rule to run the AWS-StopEC2Instance AWS Systems Manager Automation runbook for the noncompliant EC2 instances.

Create an AWS Lambda function that processes AWS CloudTrail events for Amazon EC2. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps team to the SNS topic. Deploy the Lambda function in each account in the organization. Create an Amazon EventBridge rule in each account. Configure the EventBridge rules to react to AWS CloudTrail events for Amazon EC2 and to invoke the Lambda function.

Enable AWS Config across the organization. Create a conformance pack that uses the approved-amis-by-id AWS Config managed rule with the list of approved AMIs. Deploy the conformance pack across the organization. Configure the rule to run the AWS-StopEC2lnstance AWS Systems Manager Automation runbook for the noncompliant EC2 instances.

Explanations:

AWS CloudFormation StackSets and EventBridge are not the optimal approach to ensure EC2 instance compliance for AMIs. While notifications can be sent, this solution does not provide automated remediation of noncompliant EC2 instances or enforce a policy preventing the use of nonapproved AMIs.

While AWS CloudFormation StackSets can deploy the approved-amis-by-id rule and the AWS-StopEC2Instance automation runbook, this approach does not guarantee that the individual account administrators cannot remove the restriction. Furthermore, StackSets is not an ideal method to ensure consistent enforcement across all accounts in the organization.

AWS Lambda and CloudTrail can detect EC2 instance events, but this solution does not provide the necessary governance for preventing nonapproved AMI usage in a centralized way. Lambda deployment in each account and EventBridge rules in every account would be difficult to manage and scale efficiently.

Enabling AWS Config across the organization and using a conformance pack with the approved-amis-by-id rule provides a centralized, automated, and enforceable solution. The rule can automatically remediate noncompliant EC2 instances with the AWS-StopEC2Instance Systems Manager runbook. This solution is fully manageable and prevents account administrators from removing the restriction.

2025-10-10

1 Comment

  1. Frank
    Author

    In my opinion, the answer is:
    Enable AWS Config across the organization. Create a conformance pack that uses the approved-amis-by-id AWS Config managed rule with the list of approved AMIs. Deploy the conformance pack across the organization. Configure the rule to run the AWS-StopEC2lnstance AWS Systems Manager Automation runbook for the noncompliant EC2 instances.

Leave a Reply to Frank Cancel reply

Your email address will not be published. Required fields are marked *

1 + fourteen =