A company’s security team requires that all external Application Load Balancers (ALBs)
and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company
has hundreds of AWS accounts, all of which are included in a single organization in AWS
Organizations. The company has configured AWS Config for the organization. During an
audit, the company finds some externally facing ALBs that are not associated with AWS
WAF web ACLs.
Which combination of steps should a DevOps engineer take to prevent future violations?
(Choose two.)
A. Delegate AWS Firewall Manager to a security account.
B. Delegate Amazon GuardDuty to a security account.
C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
E. Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
Explanation: If instead you want to automatically apply the policy to existing in-scope resources, choose Auto remediate any noncompliant resources. This option creates a web ACL in each applicable account within the AWS organization and associates the web ACL with the resources in the accounts. When you choose Auto remediate any noncompliant resources, you can also choose to remove existing web ACL associations from in-scope resources, for the web ACLs that aren't managed by anotheractive Firewall Manager policy. If you choose this option, Firewall Manager first associates the policy's web ACL with the resources, and then removes the prior associations. If a resource has an association with another web ACL that's managed by a different active Firewall Manager policy, this choice doesn't affect that association.
A company's application development team uses Linux-based Amazon EC2 instances as
bastion hosts. Inbound SSH access to the bastion hosts is restricted to specific IP
addresses, as defined in the associated security groups. The company's security team
wants to receive a notification if the security group rules are modified to allow SSH access
from any IP address.
What should a DevOps engineer do to meet this requirement?
A. Create an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngress. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
B. Enable Amazon GuardDuty and check the findings for security groups in AWS Security Hub. Configure an Amazon EventBridge rule with a custom pattern that matches GuardDuty events with an output of NON_COMPLIANT. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
C. Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffic. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
D. Enable Amazon Inspector. Include the Common Vulnerabilities and Exposures-1.1 rules package to check the security groups that are associated with the bastion hosts. Configure Amazon Inspector to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
A company manages a multi-tenant environment in its VPC and has configured Amazon
GuardDuty for the corresponding AWS account. The company sends all GuardDuty
findings to AWS Security Hub.
Traffic from suspicious sources is generating a large number of findings. A DevOps
engineer needs to implement a solution to automatically deny traffic across the entire VPC
when GuardDuty discovers a new suspicious source.
Which solution will meet these requirements?
A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create an AWS Lambda function that will update the threat list Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
B. Configure an AWS WAF web ACL that includes a custom rule group. Create an AWS Lambda function that will create a block rule in the custom rule group Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty
C. Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that will create a Drop action rule in the firewall policy Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty
D. Create an AWS Lambda function that will create a GuardDuty suppression rule. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
An AWS CodePipeline pipeline has implemented a code release process. The pipeline is
integrated with AWS CodeDeploy to deploy versions of an application to multiple Amazon
EC2 instances for each CodePipeline stage.
During a recent deployment the pipeline failed due to a CodeDeploy issue. The DevOps
team wants to improve monitoring and notifications during deployment to decrease
resolution times.
What should the DevOps engineer do to create notifications. When issues are discovered?
A. Implement Amazon CloudWatch Logs for CodePipeline and CodeDeploy create an AWS Config rule to evaluate code deployment issues, and create an Amazon Simple Notification Service (Amazon SNS) topic to notify stakeholders of deployment issues.
B. Implement Amazon EventBridge for CodePipeline and CodeDeploy create an AWS Lambda function to evaluate code deployment issues, and create an Amazon Simple Notification Service (Amazon SNS) topic to notify stakeholders of deployment issues.
C. Implement AWS CloudTrail to record CodePipeline and CodeDeploy API call information create an AWS Lambda function to evaluate code deployment issues and create an Amazon Simple Notification Service (Amazon SNS) topic to notify stakeholders of deployment issues.
D. Implement Amazon EventBridge for CodePipeline and CodeDeploy create an Amazon. Inspector assessment target to evaluate code deployment issues and create an Amazon Simple. Notification Service (Amazon SNS) topic to notify stakeholders of deployment issues.
Explanation: AWS CloudWatch Events can be used to monitor events across different AWS resources, and a CloudWatch Event Rule can be created to trigger an AWS Lambda function when a deployment issue is detected in the pipeline. The Lambda function can then evaluate the issue and send a notification to the appropriate stakeholders through an Amazon SNS topic. This approach allows for real-time notifications and faster resolution times.
A space exploration company receives telemetry data from multiple satellites. Small
packets of data are received through Amazon API Gateway and are placed directly into an
Amazon Simple Queue Service (Amazon SQS) standard queue. A custom application is
subscribed to the queue and transforms the data into a standard format.
Because of inconsistencies in the data that the satellites produce, the application is
occasionally unable to transform the data. In these cases, the messages remain in the
SQS queue. A DevOps engineer must develop a solution that retains the failed messages
and makes them available to scientists for review and future processing.
Which solution will meet these requirements?
A. Configure AWS Lambda to poll the SQS queue and invoke a Lambda function to check whether the queue messages are valid. If validation fails, send a copy of the data that is not valid to an Amazon S3 bucket so that the scientists can review and correct the data. When the data is corrected, amend the message in the SQS queue by using a replay Lambda function with the corrected data.
B. Convert the SQS standard queue to an SQS FIFO queue. Configure AWS Lambda to poll the SQS queue every 10 minutes by using an Amazon EventBridge schedule. Invoke the Lambda function to identify any messages with a SentTimestamp value that is older than 5 minutes, push the data to the same location as the application's output location, and remove the messages from the queue.
C. Create an SQS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.
D. Configure API Gateway to send messages to different SQS virtual queues that are named for each of the satellites. Update the application to use a new virtual queue for any data that it cannot transform, and send the message to the new virtual queue. Instruct the scientists to use the virtual queue to review the data that is not valid. Reprocess this data at a later time.
Explanation: Create an SQS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.
A company uses an organization in AWS Organizations to manage multiple AWS accounts
The company needs an automated process across all AWS accounts to isolate any
compromised Amazon EC2 instances when the instances receive a specific tag.
Which combination of steps will meet these requirements? (Select TWO.)
A. Use AWS Cloud Formation StackSets to deploy the Cloud Formation stacks in all AWS accounts.
B. Create an SCP that has a Deny statement for the ec2:" action with a condition of "aws:RequestTag/isolation": false.
C. Attach the SCP to the root of the organization.
D. Create an AWS Cloud Formation template that creates an EC2 instance rote that has no 1AM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the Cloud Formation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to add a network ACL. Sot up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
E. Create an AWS Cloud Formation template that creates an EC2 instance role that has no 1AM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
Explanation:
Step 1: Deploy the Automation Solution using CloudFormation StackSetsTo
automate the process across multiple AWS accounts within an organization, you can
useAWS CloudFormation StackSets. StackSets allow you to deploy CloudFormation
templates to multiple accounts within an organization, ensuring consistent infrastructure
and automation.
Action:Use AWS CloudFormation StackSets to deploy the necessary resources
across all AWS accounts. This includes deploying the Lambda function and
security groups that will isolate compromised EC2 instances.
Why:StackSets make it easy to deploy and manage resources across multiple
AWS accounts, reducing the operational overhead.
Reference:AWS documentation onCloudFormation StackSets.
This corresponds toOption A: Use AWS CloudFormation StackSets to deploy the
CloudFormation stacks in all AWS accounts.
Step 2: Isolate EC2 Instances using Lambda and Security GroupsWhen an EC2
instance is compromised, it needs to be isolated from the network. This can be done by
creating a security group with no inbound or outbound rules and attaching it to the instance.
A Lambda function can handle this process and can be triggered automatically by an
Amazon EventBridge rule when a specific tag (e.g., "isolation") is applied to the
compromised instance.
Action:Create a Lambda function that attaches an isolated security group (with no inbound
or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to
trigger the Lambda function when the "isolation" tag is applied to the instance.
Why:This automates the isolation process, ensuring that any compromised instances are
immediately cut off from the network, reducing the potential damage from the compromise.
Reference:AWS documentation onTag-based Event Handling.
This corresponds toOption E: Create an AWS CloudFormation template that creates
an EC2 instance role that has no IAM policies attached. Configure the template to
have a security group that has no inbound rules or outbound rules. Use the
CloudFormation template to create an AWS Lambda function that attaches the IAM
role to instances. Configure the Lambda function to replace any existing security
groups with the new security group. Set up an Amazon EventBridge rule to invoke
the Lambda function when a specific tag is applied to a compromised EC2 instance.
A company has enabled all features for its organization in AWS Organizations. The
organization contains 10 AWS accounts. The company has turned on AWS CloudTrail in all
the accounts. The company expects the number of AWS accounts in the organization to
increase to 500 during the next year. The company plans to use multiple OUs for these
accounts.
The company has enabled AWS Config in each existing AWS account in the organization.
A DevOps engineer must implement a solution that enables AWS Config automatically for
all future AWS accounts that are created in the organization.
Which solution will meet this requirement?
A. In the organization's management account, create an Amazon EventBridge rule that reacts to a CreateAccount API call. Configure the rule to invoke an AWS Lambda function that enables trusted access to AWS Config for the organization.
B. In the organization's management account, create an AWS CloudFormation stack set to enable AWS Config. Configure the stack set to deploy automatically when an account is created through Organizations.
C. In the organization's management account, create an SCP that allows the appropriate AWS Config API calls to enable AWS Config. Apply the SCP to the root-level OU.
D. In the organization's management account, create an Amazon EventBridge rule that reacts to a CreateAccount API call. Configure the rule to invoke an AWS Systems Manager Automation runbook to enable AWS Config for the account.
A company is examining its disaster recovery capability and wants the ability to switch over
its daily operations to a secondary AWS Region. The company uses AWS CodeCommit as
a source control tool in the primary Region.
A DevOps engineer must provide the capability for the company to develop code in the
secondary Region. If the company needs to use the secondary Region, developers can
add an additional remote URL to their local Git configuration.
Which solution will meet these requirements?
A. Create a CodeCommit repository in the secondary Region. Create an AWS CodeBuild project to perform a Git mirror operation of the primary Region's CodeCommit repository to the secondary Region's CodeCommit repository. Create an AWS Lambda function that invokes the CodeBuild project. Create an Amazon EventBridge rule that reacts to merge events in the primary Region's CodeCommit repository. Configure the EventBridge rule to invoke the Lambda function.
B. Create an Amazon S3 bucket in the secondary Region. Create an AWS Fargate task to perform a Git mirror operation of the primary Region's CodeCommit repository and copy the result to the S3 bucket. Create an AWS Lambda function that initiates the Fargate task. Create an Amazon EventBridge rule that reacts to merge events in the CodeCommit repository. Configure the EventBridge rule to invoke the Lambda function.
C. Create an AWS CodeArtifact repository in the secondary Region. Create an AWS CodePipeline pipeline that uses the primary Region's CodeCommit repository for the sourceaction. Create a Cross-Region stage in the pipeline that packages the CodeCommit repository contents and stores the contents in the CodeArtifact repository when a pull request is merged into the CodeCommit repository.
D. Create an AWS Cloud9 environment and a CodeCommit repository in the secondary Region. Configure the primary Region's CodeCommit repository as a remote repository in the AWS Cloud9 environment. Connect the secondary Region's CodeCommit repository to the AWS Cloud9 environment.
Explanation: The best solution to meet the disaster recovery capability and allow
developers to switch over to a secondary AWS Region for code development is option A.
This involves creating a CodeCommit repository in the secondary Region and setting up
an AWS CodeBuild project to perform a Git mirror operation of the primary Region’s
CodeCommit repository to the secondary Region’s repository. An AWS Lambda function is
then created to invoke the CodeBuild project. Additionally, an Amazon EventBridge
rule isconfigured to react to merge events in the primary Region’s CodeCommit repository
and invoke the Lambda function12. This setup ensures that the secondary Region’s
repository is always up-to-date with the primary repository, allowing for a seamless
transition in case of a disaster recovery event1.
A company's application teams use AWS CodeCommit repositories for their applications.
The application teams have repositories in multiple AWS
accounts. All accounts are in an organization in AWS Organizations.
Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configured
with an external IdP to assume a developer IAM role. The developer role allows the
application teams to use Git to work with the code in the repositories.
A security audit reveals that the application teams can modify the main branch in any
repository. A DevOps engineer must implement a solution that
allows the application teams to modify the main branch of only the repositories that they
manage.
Which combination of steps will meet these requirements? (Select THREE.)
A. Update the SAML assertion to pass the user's team name. Update the IAM role's trust policy to add an access-team session tag that has the team name.
B. Create an approval rule template for each team in the Organizations management account. Associate the template with all the repositories. Add the developer role ARN as an approver.
C. Create an approval rule template for each account. Associate the template with all repositories. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/accessteam}" condition to the approval rule template.
D. For each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.
E. Attach an SCP to the accounts. Include the following statement:
F. Create an IAM permissions boundary in each account. Include the following statement: A computer screen shot of text
A company requires its internal business teams to launch resources through pre-approved
AWS CloudFormation templates only. The security team requires automated monitoring
when resources drift from their expected state.
Which strategy should be used to meet these requirements?
A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.
B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.
C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.
D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.
Explanation:
The correct answer is C. Allowing users to deploy CloudFormation stacks using AWS
Service Catalog only and enforcing the use of a launch constraint is the best way to ensure
that the internal business teams launch resources through pre-approved CloudFormation
templates only. AWS Service Catalog is a service that enables organizations to create and
manage catalogs of IT services that are approved for use on AWS. A launch constraint is a
rule that specifies the role that AWS Service Catalog assumes when launching a product.
By using a launch constraint, the DevOps engineer can control the permissions that the
users have when launching a product. Using AWS Config rules to detect when resources
have drifted from their expected state is the best way to automate the monitoring of the resources. AWS Config is a service that enables you to assess, audit, and evaluate the
configurations of your AWS resources. AWS Config rules are custom or managed rules
that AWS Config uses to evaluate whether your AWS resources comply with your desired
configurations. By using AWS Config rules, the DevOps engineer can track the changes in
the resources and identify any non-compliant resources.
Option A is incorrect because allowing users to deploy CloudFormation stacks using a
CloudFormation service role only is not the best way to ensure that the internal business
teams launch resources through pre-approved CloudFormation templates only. A
CloudFormation service role is an IAM role that CloudFormation assumes to create,
update, or delete the stack resources. By using a CloudFormation service role, the DevOps
engineer can control the permissions that CloudFormation has when acting on the
resources, but not the permissions that the users have when launching a stack. Therefore,
option A does not prevent the users from launching resources that are not approved by the
company. Using CloudFormation drift detection to detect when resources have drifted from
their expected state is a valid way to monitor the resources, but it is not as automated and
scalable as using AWS Config rules. CloudFormation drift detection is a feature that
enables you to detect whether a stack’s actual configuration differs, or has drifted, from its
expected configuration. To use this feature, the DevOps engineer would need to manually
initiate a drift detection operation on the stack or the stack resources, and then view the
drift status and details in the CloudFormation console or API.
Option B is incorrect because allowing users to deploy CloudFormation stacks using a
CloudFormation service role only is not the best way to ensure that the internal business
teams launch resources through pre-approved CloudFormation templates only, as
explained in option A. Using AWS Config rules to detect when resources have drifted from
their expected state is a valid way to monitor the resources, as explained in option C.
Option D is incorrect because enforcing the use of a template constraint is not the best way
to ensure that the internal business teams launch resources through pre-approved
CloudFormation templates only. A template constraint is a rule that defines the values or
properties that users can specify when launching a product. By using a template constraint,
the DevOps engineer can control the parameters that the users can provide when
launching a product, but not the permissions that the users have when launching a product.
Therefore, option D does not prevent the users from launching resources that are not
approved by the company. Using Amazon EventBridge notifications to detect when
resources have drifted from their expected state is a less reliable and consistent solution
than using AWS Config rules. Amazon EventBridge is a service that enables you to
connect your applications with data from a variety of sources. Amazon EventBridge can
deliver a stream of real-time data from event sources, such as AWS services, and route
that data to targets, such as AWS Lambda functions. However, to use this solution, the
DevOps engineer would need to configure the event source, the event bus, the event rule,
and the event target for each resource type that needs to be monitored, which is more complex and error-prone than using AWS Config rules.
A company has 20 service learns Each service team is responsible for its own
microservice. Each service team uses a separate AWS account for its microservice and a
VPC with the 192 168 0 0/22 CIDR block. The company manages the AWS accounts with
AWS Organizations.
Each service team hosts its microservice on multiple Amazon EC2 instances behind an
Application Load Balancer. The microservices communicate with each other across the
public internet. The company's security team has issued a new guideline that all
communication between microservices must use HTTPS over private network connections
and cannot traverse the public internet.
A DevOps engineer must implement a solution that fulfills these obligations and minimizes
the number of changes for each service team.
Which solution will meet these requirements?
A. Create a new AWS account in AWS Organizations Create a VPC in this account and use AWS Resource Access Manager to share the private subnets of this VPC with the organization Instruct the service teams to launch a new. Network Load Balancer (NLB) and EC2 instances that use the shared private subnets Use the NLB DNS names for communication between microservices.
B. Create a Network Load Balancer (NLB) in each of the microservice VPCs Use AWS PrivateLink to create VPC endpoints in each AWS account for the NLBs Create subscriptions to each VPC endpoint in each of the other AWS accounts Use the VPC endpoint DNS names for communication between microservices.
C. Create a Network Load Balancer (NLB) in each of the microservice VPCs Create VPC peering connections between each of the microservice VPCs Update the route tables for each VPC to use the peering links Use the NLB DNS names for communication between microservices.
D. Create a new AWS account in AWS Organizations Create a transit gateway in this account and use AWS Resource Access Manager to share the transit gateway with the organization. In each of the microservice VPCs. create a transit gateway attachment tothe shared transit gateway Update the route tables of each VPC to use the transit gateway Create a Network Load Balancer (NLB) in each of the microservice VPCs Use the NLB DNS names for communication between microservices.
A company uses AWS Organizations to manage its AWS accounts. A DevOps engineer
must ensure that all users who access the AWS Management Console are authenticated
through the company's corporate identity provider (IdP).
Which combination of steps will meet these requirements? (Select TWO.)
A. Use Amazon GuardDuty with a delegated administrator account. Use GuardDuty to enforce denial of 1AM user logins
B. Use AWS 1AM Identity Center to configure identity federation with SAML 2.0.
C. Create a permissions boundary in AWS 1AM Identity Center to deny password logins for 1AM users.
D. Create 1AM groups in the Organizations management account to apply consistent permissions for all 1AM users.
E. Create an SCP in Organizations to deny password creation for 1AM users.
Explanation:
Step 1: Using AWS IAM Identity Center for SAML-based Identity FederationTo ensure
that all users accessing the AWS Management Console are authenticated via the corporate
identity provider (IdP), the best approach is to set up identity federation with AWS IAM
Identity Center (formerly AWS SSO) using SAML 2.0.
Action:Use AWS IAM Identity Center to configure identity federation with the
corporate IdP that supports SAML 2.0.
Why:SAML 2.0 integration enables single sign-on (SSO) for users, allowing them
to authenticate through the corporate IdP and gain access to AWS resources.
Reference:AWS documentation onIAM Identity Center and SAML Federation.
This corresponds toOption B: Use AWS IAM Identity Center to configure identity
federation with SAML 2.0.
Step 2: Creating an SCP to Deny Password Logins for IAM UsersTo enforce that IAM
users do not create passwords or access the Management Console directlywithout going
through the corporate IdP, you can create a Service Control Policy (SCP) in AWS
Organizations that denies password creation for IAM users.
Action:Create an SCP that denies password creation for IAM users.
Why:This ensures that users cannot set passwords for their IAM user accounts, forcing
them to use federated access through the corporate IdP for console login.
Reference:AWS documentation onService Control Policies.
This corresponds toOption E: Create an SCP in Organizations to deny password
creation for IAM users.
| Page 1 out of 21 Pages |