Which solution will meet these requirements?
Create an AWS Config rule with the required-tags managed rule to identify noncompliant resources. Configure automatic remediation to run the AWS- TerminateEC2Instance automation document to terminate noncompliant resources.
Create a new Amazon EventBridge (Amazon CloudWatch Events) rule to monitor when new EC2 instances are created. Send the event to a Simple Notification Service (Amazon SNS) topic for automatic remediation.
Ensure all users who can create EC2 instances also have the permissions to use the ec2:CreateTags and ec2:DescribeTags actions. Change the instance’s shutdown behavior to terminate.
Ensure AWS Systems Manager Compliance is configured to manage the EC2 instances. Call the AWS-StopEC2Instances automation document to stop noncompliant resources.
Explanations:
AWS Config can enforce compliance by using therequired-tagsmanaged rule to detect EC2 instances that are missing the department tag. The rule can automatically trigger theAWS-TerminateEC2Instanceautomation document to terminate noncompliant instances, meeting the requirement for near-real-time termination.
While Amazon EventBridge can monitor the creation of EC2 instances, it would not directly facilitate the automatic termination of noncompliant instances. EventBridge can send events to an SNS topic, but it doesn’t inherently automate the termination process. Additional steps are needed for compliance enforcement.
This option focuses on permissions and shutdown behavior, which do not directly enforce compliance regarding missing tags. Changing the shutdown behavior to terminate does not address the requirement to ensure instances without a department tag are terminated in near-real time.
AWS Systems Manager Compliance is more suited for managing the patch compliance or configuration compliance of instances, not specifically for enforcing tagging policies. TheAWS-StopEC2Instancesdocument would only stop instances, not terminate them, and stopping instances does not meet the requirement for immediate termination of noncompliant instances.
I believe the answer is:
Create an AWS Config rule with the required-tags managed rule to identify noncompliant resources. Configure automatic remediation to run the AWS- TerminateEC2Instance automation document to terminate noncompliant resources.