A company is running Amazon EC2 instances in multiple AWS accounts. A developer needs to implement an application that collects all the lifecycle events of the EC2 instances. The application needs to store the lifecycle events in a single Amazon Simple Queue Service (Amazon SQS) queue in the company's main AWS account for further processing.
Which solution will meet these requirements?
The best solution is to configure the permissions on the main account's event bus to receive events from all accounts. An Amazon EventBridge rule should be created in each account to send all the EC2 instance lifecycle events to the main account's event bus. Then, within the main account's event bus, an EventBridge rule should be set up to match all EC2 instance lifecycle events and target the SQS queue. This approach leverages EventBridge’s cross-account event sharing capabilities, ensures centralization of event management, and does not introduce unnecessary complexity or inefficiency.
The correct answer is D. Amazon EC2 instances can send the state-change notification events to Amazon EventBridge. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instance-state-changes.html Amazon EventBridge can send and receive events between event buses in AWS accounts. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html
thanks a lot
This question came in exam. Correct answer is D.
Seems to me the correct answer is B. The current most voted answer is B, but can someone explain why it’s better than B? I think B is better because it has fewer steps. The events go straight from each account into the queue. Unlike in D which has the intermediate step of the event bus of the main account. Also, why would you want to pollute the event bus of the main account with events from other accounts when it isn’t necessary?
Answer A: This makes more sense and a simplified solution.
I think the answer to this question is also A.
My answer is D
B Answer A is incorrect because Amazon EventBridge events can't be sent directly from one account's event bus to another. Answer C is incorrect because it's unnecessary and inefficient to use Lambda to periodically scan all EC2 instances for lifecycle changes. Amazon EventBridge can capture these events automatically as they occur. Answer D is incorrect because it is not possible to configure the main account event bus to receive events from all accounts directly, and Amazon EventBridge events can't be sent directly from one account's event bus to another. The EventBridge rules need to be set up in the accounts where the events are generated.
Sorry Im wrong, AWS allow to send and receive Amazon EventBridge events between AWS accounts. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html Both B and D works, but D is more centralized
The correct answer is D. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html
This solution allows the collection of all the lifecycle events of the EC2 instances from multiple AWS accounts and stores them in a single Amazon SQS queue in the company’s main AWS account for further processing
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html
D is correct answer.
D is the correct answer.
Tried to implement both B and D It's tricky, because B could be possible but you can't select cross-account SQS as target to the rule, option D is 100% correct
Answer C is correct
Option D is not the best solution because it involves configuring the permissions on the main account's EventBridge event bus to receive events from all accounts, which can lead to potential security risks. Allowing other AWS accounts to send events to the main account's EventBridge event bus can potentially open up a security vulnerability, as it increases the attack surface area for the main account. On the other hand, option A is the best solution because it involves using Amazon EventBridge, which is a serverless event bus that can be used to route events between AWS services or AWS accounts. By configuring Amazon EC2 to deliver the EC2 instance lifecycle events from all accounts to the Amazon EventBridge event bus of the main account, and adding the SQS queue as a target of the rule, the application can collect all the lifecycle events of the EC2 instances in a single queue in the main account without compromising the security posture of the AWS environment.
B solution meets all da requirements. By using resource policies, you can grant permissions for other accounts to write to the SQS queue in the main account. Then, you create EventBridge rules in each account dat match EC2 lifecycle events and use da main account's SQS queue as a target for these rules. It's da best choice for dis scenario.
For Option C using lambda does not seem to be a good solution as we would have to trigger lambda on some schedule and it will has less granularity in time. For D. Why would we be matching EC2 instance lifecycle events in Main account event bus and not in each account event bus and reducing overhead for main account