A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules. All EC2 instances must be launched from one of a specified list of AMIs with all attached EBS volumes being encrypted. The non-compliant infrastructure should be terminated.
What combination of steps should the engineer choose? (Select TWO.)
 

Answer options:

A.Set up a CloudWatch event based on Trusted Advisor metrics.
B.Trigger a Lambda function from the CloudWatch event rule for AWS Config "Compliance Rules Notification Change" to terminate the non-compliant infrastructure.
C.Set up a CloudWatch event based on Amazon Inspector findings.
D.Monitor compliance with AWS Config Rules triggered by configuration changes.
E.Trigger a CLI command in an EC2 instance from a CloudWatch event to terminate the infrastructure.

Answer: B and D
Option A is incorrect because CloudWatch events based on Trusted Advisor metrics would not help identify if the infrastructure is compliant.
Option B is correct because the Lambda function can be triggered by the AWS CloudWatch event rule and terminate all the non-compliant infrastructure.
Option C is incorrect because Amazon Inspector cannot be used to check whether instances are launched from a specific AMI.
Option D is correct because AWS Config can be used to monitor the compliance checks and trigger an alarm/event if there is any non-compliant infrastructure.
Option E is incorrect because triggering a CLI command would not be a cost-efficient option. Instead, you should use a Lambda function as it is serverless.
For more information on AWS Config Rules, kindly refer to the below URL:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html
For more information on CloudWatch events, please see the below Link:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html