Which solution will meet these requirements in the MOST operationally efficient manner?

By:
On:
In: DOP-C02
Tagged:
With: 0 Comments
A company manages 500 AWS accounts that are in an organization in AWS Organizations.The company discovers many unattached Amazon Elastic Block Store (Amazon EBS) volumes in all the accounts.The company wants to automatically tag the unattached EBS volumes for investigation.A DevOps engineer needs to deploy an AWS Lambda function to all the AWS accounts.The Lambda function must run every 30 minutes to tag all the EBS volumes that have been unattached for a period of 7 days or more.

Which solution will meet these requirements in the MOST operationally efficient manner?

Configure a delegated administrator account for the organization. Create an AWS CloudFormation template that contains the Lambda function. Use CloudFormation StackSets to deploy the CloudFormation template from the delegated administrator account to all the member accounts in the organization. Create an Amazon EventBridge event bus in the delegated administrator account to invoke the Lambda function in each member account every 30 minutes.

Create a cross-account IAM role in the organization’s member accounts. Attach the AWSLambda_FullAccess policy and the AWSCloudFormationFullAccess policy to the role. Create an AWS CloudFormation template that contains the Lambda function and an Amazon EventBridge scheduled rule to invoke the Lambda function every 30 minutes. Create a custom script in the organization’s management account that assumes the role and deploys the CloudFormation template to the member accounts.

Configure a delegated administrator account for the organization. Create an AWS CloudFormation template that contains the Lambda function and an Amazon EventBridge scheduled rule to invoke the Lambda function every 30 minutes. Use CloudFormation StackSets to deploy the CloudFormation template from the delegated administrator account to all the member accounts in the organization

Create a cross-account IAM role in the organization’s member accounts. Attach the AmazonS3FullAccess policy and the AWSCodeDeployDeployerAccess policy to the role. Use AWS CodeDeploy to assume the role to deploy the Lambda function from the organization’s management account. Configure an Amazon EventBridge scheduled rule in the member accounts to invoke the Lambda function every 30 minutes.

Explanations:

While this option uses CloudFormation StackSets and EventBridge effectively, it does not mention the tagging of the EBS volumes directly. It also requires the Lambda function to be invoked from the delegated administrator account, complicating permissions and access across member accounts.

This option suggests creating a cross-account IAM role and using a custom script to deploy the CloudFormation template, which adds complexity and operational overhead. It does not leverage CloudFormation StackSets, making it less efficient for managing multiple accounts.

This option correctly utilizes a delegated administrator account and CloudFormation StackSets to deploy the Lambda function and the scheduled EventBridge rule efficiently across all member accounts. It automates the deployment process, ensuring consistency and operational efficiency.

This option introduces unnecessary complexity by using AWS CodeDeploy and assumes a cross-account IAM role. It does not address the automatic tagging of the unattached EBS volumes directly and relies on multiple services that increase management overhead.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × four =