A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.
Which combination of steps will meet these requirements? (Choose two.)
To meet the requirement of automatically isolating compromised Amazon EC2 instances across all AWS accounts when they receive a specific tag, you should use AWS CloudFormation StackSets and a CloudFormation template integrated with AWS Lambda and Amazon EventBridge. AWS CloudFormation StackSets can be used to deploy the necessary CloudFormation stacks across multiple AWS accounts within the organization, ensuring consistency and automation. The CloudFormation template should create an EC2 instance role with no IAM policies attached and a security group with no inbound or outbound rules to effectively isolate the instances. The template should also create an AWS Lambda function to attach this role and security group to compromised instances when a specific tag is applied. An Amazon EventBridge rule will trigger this Lambda function upon the tagging of compromised instances, automating their isolation.
in my opinion it could not be AE because we would need a mechanism to apply this template to the right EC2 - I would vote for BC
What a weirdly worded question. I tend to agree with A & E. We need to isolate an EC2 that has a certain tag.
A,E for me
AE The question says isolate. What does isolate mean? Prevent outgoing and incoming traffic.
ill go with AE
CE for me. Option D is wrong because we can not use Security Group for an explicit deny rule. Option B is quite misleading with the resourceTagIsolation set to False instead of True.
BC for me
BC for me
so funny, how to isolate incoming traffic. B,C means deny action with EC2
Answer is A, E
BD is wrong isolating the instance doesn't mean "don't touch it" with aws actions but to block traffic from and to it
This CloudFormation template creates the necessary resources: An EC2 instance role with no IAM policies, ensuring the instance cannot perform any actions. A security group with no inbound or outbound rules, effectively isolating the instance from all network traffic. A Lambda function that will be triggered by an EventBridge rule when a specific tag is applied to an EC2 instance. This function will attach the isolated security group to the compromised instance, ensuring it is isolated from any network communication. Combining these steps will provide an automated and consistent approach to isolate compromised EC2 instances across all AWS accounts in the organization.