Which solution will meet these requirements with the MOST operational efficiency?
Configure AWS Systems Manager on each instance. Use AWS Systems Manager Inventory. Use Systems Manager resource data sync to synchronize and store findings in an Amazon S3 bucket. Create an AWS Lambda function that runs when new objects are added to the S3 bucket. Configure the Lambda function to identify prohibited applications.
Configure AWS Systems Manager on each instance. Use Systems Manager Inventory Create AWS Config rules that monitor changes from Systems Manager Inventory to identify prohibited applications.
Configure AWS Systems Manager on each instance. Use Systems Manager Inventory. Filter a trail in AWS CloudTrail for Systems Manager Inventory events to identify prohibited applications.
Designate Amazon CloudWatch Logs as the log destination for all application instances. Run an automated script across all instances to create an inventory of installed applications. Configure the script to forward the results to CloudWatch Logs. Create a CloudWatch alarm that uses filter patterns to search log data to identify prohibited applications.
Explanations:
While this option uses AWS Systems Manager Inventory and a Lambda function to identify prohibited applications, it requires multiple steps, including managing S3 buckets and Lambda functions. This adds complexity and operational overhead, making it less efficient.
This option effectively utilizes AWS Systems Manager Inventory to collect application data and AWS Config rules to continuously monitor and enforce compliance. It streamlines the process of auditing EC2 instances for prohibited applications with minimal operational effort.
Although this option uses AWS Systems Manager Inventory and CloudTrail, filtering CloudTrail logs for Systems Manager events is not efficient for identifying prohibited applications. It involves a more manual approach and does not provide real-time monitoring like AWS Config does.
This option involves running a script on all instances to gather application data, which can be resource-intensive and less efficient. Additionally, using CloudWatch Logs and alarms for identifying prohibited applications is not as direct as utilizing Systems Manager and Config rules for compliance monitoring.