Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 2 discussion

The correct answer is D. Amazon EC2 instances can send the state-change notification events to Amazon EventBridge. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instance-state-changes.html Amazon EventBridge can send and receive events between event buses in AWS accounts. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html

This question came in exam. Correct answer is D.

Either C or D. Down side of C: Needs to trigger everyone min but very flexible. D: is completely automated but giving access to other aws account is not safe.

https://docs.aws.amazon.com/us_en/eventbridge/latest/userguide/eb-cross-account.html#:~:text=You%20can%20configure%20EventBridge%20to%20send%20and%20receive,events%20from%20the%20event%20bus%20in%20your%20account.

==> Discard C: lamdba scans ==> it will be delay by scan all data ==> Discard A: 'matches all EC2 instance' ==> hard to maintain, when updating many times can occurs ==> Discard B: it works, but it maybe have some security problem when pushing raw data (not clean) into SQS. It also doesn't take advantage of D: By configuring the main account's event bus to accept events from other accounts and adding rules in those accounts to forward lifecycle events, this solution achieves secure and efficient centralization. EventBridge then routes the events to an SQS queue in the main account for further processing.

https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html

D is correct answer.

D is the correct answer.

Tried to implement both B and D It's tricky, because B could be possible but you can't select cross-account SQS as target to the rule, option D is 100% correct

My answer is D

Answer C is correct

Seems to me the correct answer is B. The current most voted answer is B, but can someone explain why it’s better than B? I think B is better because it has fewer steps. The events go straight from each account into the queue. Unlike in D which has the intermediate step of the event bus of the main account. Also, why would you want to pollute the event bus of the main account with events from other accounts when it isn’t necessary?

B Answer A is incorrect because Amazon EventBridge events can't be sent directly from one account's event bus to another. Answer C is incorrect because it's unnecessary and inefficient to use Lambda to periodically scan all EC2 instances for lifecycle changes. Amazon EventBridge can capture these events automatically as they occur. Answer D is incorrect because it is not possible to configure the main account event bus to receive events from all accounts directly, and Amazon EventBridge events can't be sent directly from one account's event bus to another. The EventBridge rules need to be set up in the accounts where the events are generated.

The correct answer is D. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html

Option D is not the best solution because it involves configuring the permissions on the main account's EventBridge event bus to receive events from all accounts, which can lead to potential security risks. Allowing other AWS accounts to send events to the main account's EventBridge event bus can potentially open up a security vulnerability, as it increases the attack surface area for the main account. On the other hand, option A is the best solution because it involves using Amazon EventBridge, which is a serverless event bus that can be used to route events between AWS services or AWS accounts. By configuring Amazon EC2 to deliver the EC2 instance lifecycle events from all accounts to the Amazon EventBridge event bus of the main account, and adding the SQS queue as a target of the rule, the application can collect all the lifecycle events of the EC2 instances in a single queue in the main account without compromising the security posture of the AWS environment.

B solution meets all da requirements. By using resource policies, you can grant permissions for other accounts to write to the SQS queue in the main account. Then, you create EventBridge rules in each account dat match EC2 lifecycle events and use da main account's SQS queue as a target for these rules. It's da best choice for dis scenario.

This solution allows the collection of all the lifecycle events of the EC2 instances from multiple AWS accounts and stores them in a single Amazon SQS queue in the company’s main AWS account for further processing