Home › Forums › General Discussions › SA Pro – Review mode set 3, question 48 › Reply To: SA Pro – Review mode set 3, question 48
-
Hello AndreaCoda,
Thank you for your feedback.
The explanation for the incorrect answer:
Set up IAM policies to restrict the ability of users to launch EC2 instances based on a specific set of pre-approved AMIs which were tagged by the Security team is incorrect because setting up an IAM Policy will totally restrict the development team from launching EC2 instances with unapproved AMIs which could impact their CI/CD process. The scenario clearly says that the solution should not have any interruption in the company’s development process.
>> I understand that the explanation may have emphasized hard on the “should not have any interruption in the company’s development process” part, but this option is incorrect because it does not satisfy the requirement on the question itself “Any new application release must be deployed first before the solution could analyze if it is using a pre-approved AMI or not.“
If the development team creates a new AMI for their deployments, the CI/CD process will not run because they can’t launch the new AMI that is not yet approved by the Security Team.
how can (3), which is automatically terminating them, not be impacting them???
(3) Set up AWS Config rules to determine any launches of EC2 instances based on non-approved AMIs and then trigger an AWS Lambda function to automatically terminate the instance. Afterwards, publish a message to an SNS topic to inform the Security team about the occurrence.
>> In contrast to the incorrect answer above, this answer is correct because it satisfies the requirement: “Any new application release must be deployed first before the solution could analyze if it is using a pre-approved AMI or not.“
It won’t hinder the CI/CD process as it will allow the new application AMI to be deployed. You can schedule AWS config to run at regular intervals (ex: like 2 hours) to check if any EC2 instances that are using a non-approved AMI, and then take action to delete the instances. This answer is still acceptable because it allows the development team to deploy their new AMI, and test it. Even though after the regular interval check for AWS Config, the instances will be deleted automatically.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo