A company has an organization in AWS Organizations. The organization includes workload
accounts that contain enterprise applications. The company centrally manages users from
an operations account. No users can be created in the work load accounts. The company
recently added an operations team and must provide the operations team members with
administrator access to each workload account.
Which combination of actions will provide this access? (Choose three.)
A. Create a SysAdmin role in the operations account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the workload accounts.
B. Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account.
C. Create an Amazon Cognito identity pool in the operations account. Attach the SysAdmin role as an authenticated role.
D. In the operations account, create an IAM user for each operations team member.
E. In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all operations team members to the group.
F. Create an Amazon Cognito user pool in the operations account. Create an Amazon Cognito user for each operations team member.
A production account has a requirement that any Amazon EC2 instance that has been
logged in to manually must be terminated within 24 hours. All applications in the production
account are using Auto Scaling groups with the Amazon CloudWatch Logs agent
configured.
How can this process be automated?
A. Create a CloudWatch Logs subscription to an AWS Step Functions application. Configure an AWS Lambda function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a second Lambda function once a day that will terminate all instances with this tag.
B. Create an Amazon CloudWatch alarm that will be invoked by the login event. Send the notification to an Amazon Simple Notification Service (Amazon SNS) topic that the operations team is subscribed to, and have them terminate the EC2 instance within 24 hours.
C. Create an Amazon Cloud Watch alarm that will be invoked by the login event. Configure the alarm to send to an Amazon Simple Queue Service (Amazon SQS) queue. Use a group of worker instances to process messages from the queue, which then schedules an Amazon Event Bridge rule to be invoked.
D. Create a CloudWatch Logs subscription to an AWS Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a daily Lambda function that terminates all instances with this tag.
Explanation: "You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as an Amazon Kinesis stream, an Amazon Kinesis Data Firehose stream, or AWS Lambda for custom processing, analysis, or loading to other systems. When log events are sent to the receiving service, they are Base64 encoded and compressed with the gzip format."
A DevOps team uses AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy to
deploy an application. The application is a REST API that uses AWS Lambda functions and
Amazon API Gateway Recent deployments have introduced errors that have affected many
customers.
The DevOps team needs a solution that reverts to the most recent stable version of the
application when an error is detected. The solution must affect the fewest customers
possible.
Which solution Will meet these requirements With the MOST operational efficiency?
A. Set the deployment configuration in CodeDepIoy to LambdaAlIAtOnce Configure automatic rollbacks on the deployment group Create an Amazon CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway Configure the deployment group to roll back when the number of alarms meets the alarm threshold
B. Set the deployment configuration in CodeDeploy to LambdaCanary10Percent10Minutes. Configure automatic rollbacks on the deployment group Create an Amazon CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway Configure the deployment group toroll back when the number of alarms meets the alarm threshold
C. Set the deployment configuration in CodeDeploy to LambdaAllAtOnce Configure manual rollbacks on the deployment group. Create an Amazon Simple Notification Service (Amazon SNS) topc to send notifications every time a deployrnent fads. Configure the SNS topc to Invoke a new Lambda function that stops the current deployment and starts the most recent successful deployment
D. Set the deployment configuration in CodeDeploy to LambdaCanaryIOPercentIOMinutes Configure manual rollbacks on the deployment group Create a metric filter on an Amazon CloudWatch log group for API Gateway to monitor HTTP Bad Gateway errors. Configure the metric filter to Invoke a new Lambda function that stops the current eployment and starts the most recent successful deployment
A software team is using AWS CodePipeline to automate its Java application release
pipeline The pipeline consists of a source stage, then a build stage, and then a deploy
stage. Each stage contains a single action that has a runOrder value of 1.
The team wants to integrate unit tests into the existing release pipeline. The team needs a
solution that deploys only the code changes that pass all unit tests.
Which solution will meet these requirements?
A. Modify the build stage. Add a test action that has a runOrder value of 1. Use AWS CodeDeploy as the action provider to run unit tests.
B. Modify the build stage Add a test action that has a runOrder value of 2 Use AWS CodeBuild as the action provider to run unit tests
C. Modify the deploy stage Add a test action that has a runOrder value of 1 Use AWS CodeDeploy as the action provider to run unit tests
D. Modify the deploy stage Add a test action that has a runOrder value of 2 Use AWS CodeBuild as the action provider to run unit tests
Explanation:
Modify the Build Stage to Add a Test Action with a RunOrder Value of 2:
The build stage in AWS CodePipeline can have multiple actions. By adding a test
action with a runOrder value of 2, the test action will execute after the initial build
action completes.
Use AWS CodeBuild as the Action Provider to Run Unit Tests:
AWS CodeBuild is a fully managed build service that compiles source code, runs
tests, and produces software packages.
Using CodeBuild to run unit tests ensures that the tests are executed in a
controlled environment and that only the code changes that pass the unit tests
proceed to the deploy stage.
Example configuration in CodePipeline:
{
"name": "BuildStage",
"actions": [
{
"name": "Build",
"actionTypeId": {
"category": "Build",
"owner": "AWS",
"provider": "CodeBuild",
"version": "1"
},
"runOrder": 1
},
{
"name": "Test",
"actionTypeId": {
"category": "Test",
"owner": "AWS",
"provider": "CodeBuild",
"version": "1"
},
"runOrder": 2
}
]
}
By integrating the unit tests into the build stage and ensuring they run after the build
process, the pipeline guarantees that only code changes passing all unit tests are
deployed.
A company has its AWS accounts in an organization in AWS Organizations. AWS Config is
manually configured in each AWS account. The company needs to implement a solution to
centrally configure AWS Config for all accounts in the organization The solution also must
record resource changes to a central account.
Which combination of actions should a DevOps engineer perform to meet these
requirements? (Choose two.)
A. Configure a delegated administrator account for AWS Config. Enable trusted access for AWS Config in the organization.
B. Configure a delegated administrator account for AWS Config. Create a service-linked role for AWS Config in the organization’s management account.
C. Create an AWS CloudFormation template to create an AWS Config aggregator.
Configure a CloudFormation stack set to deploy the template to all accounts in the
organization.
D. Create an AWS Config organization aggregator in the organization's management account. Configure data collection from all AWS accounts in the organization and from all AWS Regions.
E. Create an AWS Config organization aggregator in the delegated administrator account. Configure data collection from all AWS accounts in the organization and from all AWS Regions.
A healthcare services company is concerned about the growing costs of software licensing
for an application for monitoring patient wellness. The company wants to create an audit
process to ensure that the application is running exclusively on Amazon EC2 Dedicated
Hosts. A DevOps engineer must create a workflow to audit the application to ensure
compliance.
What steps should the engineer take to meet this requirement with the LEAST
administrative overhead?
A. Use AWS Systems Manager Configuration Compliance. Use calls to the putcompliance- items API action to scan and build a database of noncompliant EC2 instances based on their host placement configuration. Use an Amazon DynamoDB table to store these instance IDs for fast access. Generate a report through Systems Manager by calling the list-compliance-summaries API action.
B. Use custom Java code running on an EC2 instance. Set up EC2 Auto Scaling for the instance depending on the number of instances to be checked. Send the list of noncompliant EC2 instance IDs to an Amazon SQS queue. Set up another worker instance to process instance IDs from the SQS queue and write them to Amazon DynamoDB. Use an AWS Lambda function to terminate noncompliant instance IDs obtained from the queue, and send them to an Amazon SNS email topic for distribution.
C. Use AWS Config. Identify all EC2 instances to be audited by enabling Config Recording
on all Amazon EC2 resources for the region. Create a custom AWS Config rule that
triggers an AWS Lambda function by using the "config-rule-change-triggered" blueprint.
Modify the Lambda
evaluateCompliance () function to verify host placement to return a NON_COMPLIANT
result if the instance is not running on an EC2 Dedicated Host. Use the AWS Config report
to address noncompliant instances.
D. Use AWS CloudTrail. Identify all EC2 instances to be audited by analyzing all calls to the EC2 RunCommand API action. Invoke a AWS Lambda function that analyzes the host placement of the instance. Store the EC2 instance ID of noncompliant resources in an Amazon RDS for MySQL DB instance. Generate a report by querying the RDS instance and exporting the query results to a CSV text file.
Explanation:
The correct answer is C. Using AWS Config to identify and audit all EC2 instances based
on their host placement configuration is the most efficient and scalable solution to ensure
compliance with the software licensing requirement. AWS Config is a service that enables
you to assess, audit, and evaluate the configurations of your AWS resources. By creating a
custom AWS Config rule that triggers a Lambda function to verify host placement, the
DevOps engineer can automate the process of checking whether the instances are running
on EC2 Dedicated Hosts or not. The Lambda function can return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host, and the AWS Config report
can provide a summary of the compliance status of the instances. This solution requires
the least administrative overhead compared to the other options.
Option A is incorrect because using AWS Systems Manager Configuration Compliance to
scan and build a database of noncompliant EC2 instances based on their host placement
configuration is a more complex and costly solution than using AWS Config. AWS Systems
Manager Configuration Compliance is a feature of AWS Systems Manager that enables
you to scan your managed instances for patch compliance andconfiguration
inconsistencies. To use this feature, the DevOps engineer would need to install the
Systems Manager Agent on each EC2 instance, create a State Manager association to run
the put-compliance-items API action periodically, and use a DynamoDB table to store the
instance IDs of noncompliant resources. This solution would also require more API calls
and storage costs than using AWS Config.
Option B is incorrect because using custom Java code running on an EC2 instance to
check and terminate noncompliant EC2 instances is a more cumbersome and error-prone
solution than using AWS Config. This solution would require the DevOps engineer to write
and maintain the Java code, set up EC2 Auto Scaling for the instance, use an SQS queue
and another worker instance to process the instance IDs, use a Lambda function and an
SNS topic to terminate and notify the noncompliant instances, and handle any potential
failures or exceptions in the workflow. This solution would also incur more compute,
storage, and messaging costs than using AWS Config.
Option D is incorrect because using AWS CloudTrail to identify and audit EC2 instances by
analyzing the EC2 RunCommand API action is a less reliable and accurate solution than
using AWS Config. AWS CloudTrail is a service that enables you to monitor and log the
API activity in your AWS account. The EC2 RunCommand API action is used to execute
commands on one or more EC2 instances. However, this API action does not necessarily
indicate the host placement of the instance, and it may not capture all the instances that
are running on EC2 Dedicated Hosts or not. Therefore, option D would not provide a
comprehensive and consistent audit of the EC2 instances.
An online retail company based in the United States plans to expand its operations to
Europe and Asia in the next six months. Its product currently runs on Amazon EC2
instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto
Scaling group across multiple Availability Zones. All data is stored in an Amazon Aurora
database instance.
When the product is deployed in multiple regions, the company wants a single product catalog across all regions, but for compliance purposes, its customer information and
purchases must be kept in each region.
How should the company meet these requirements with the LEAST amount of application
changes?
A. Use Amazon Redshift for the product catalog and Amazon DynamoDB tables for the customer information and purchases.
B. Use Amazon DynamoDB global tables for the product catalog and regional tables for the customer information and purchases.
C. Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases.
D. Use Aurora for the product catalog and Amazon DynamoDB global tables for the customer information and purchases.
A company is using AWS to run digital workloads. Each application team in the company
has its own AWS account for application hosting. The accounts are consolidated in an
organization in AWS Organizations.
The company wants to enforce security standards across the entire organization. To avoid
noncompliance because of security misconfiguration, the company has enforced the use of
AWS CloudFormation. A production support team can modify resources in the production
environment by using the AWS Management Console to troubleshoot and resolve
application-related issues.
A DevOps engineer must implement a solution to identify in near real time any AWS
service misconfiguration that results in noncompliance. The solution must automatically
remediate the issue within 15 minutes of identification. The solution also must track
noncompliant resources and events in a centralized dashboard with accurate timestamps.
Which solution will meet these requirements with the LEAST development overhead?
A. Use CloudFormation drift detection to identify noncompliant resources. Use drift
detection events from CloudFormation to invoke an AWS Lambda function for remediation.
Configure theLambda function to publish logs to an Amazon CloudWatch Logs log group.
Configure an Amazon CloudWatch dashboard to use the log group for tracking.
B. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon Athena to identify noncompliant resources. Use AWS Step Functions to track query results on Athena for drift detection and to invoke an AWS Lambda function for remediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena as the data source.
C. Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the ~no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.
D. Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logs filters for drift detection. Use Amazon EventBridge to invoke the Lambda function for remediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up a dashboard on OpenSearch Service for tracking.
Explanation:
The best solution is to use AWS Config and AWS Security Hub to identify and remediate
noncompliant resources across multiple AWS accounts. AWS Config enables continuous
monitoring of the configuration of AWS resources and evaluates them against desired
configurations. AWS Config can also automatically remediate noncompliant resources by
using conformance packs, which are a collection of AWS Config rules and remediation
actions that can be deployed as a single entity. AWS Security Hub provides a
comprehensive view of the security posture of AWS accounts and resources. AWS
Security Hub can aggregate and normalize the findings from AWS Config and other AWS
services, as well as from partner solutions. AWS Security Hub can also be used to create a
dashboard for tracking noncompliant resources and events in a centralized location.
The other options are not optimal because they either require more development overhead,
do not provide near real time detection and remediation, or do not provide a centralized
dashboard for tracking.
Option A is not optimal because CloudFormation drift detection is not a near real time
solution. Drift detection has to be manually initiated on each stack or resource, or
scheduled using a cron expression. Drift detection also does not provide remediation
actions, so a custom Lambda function has to be developed and invoked. CloudWatch Logs
and dashboard can be used for tracking, but they do not provide a comprehensive view of
the security posture of the AWS accounts and resources.
Option B is not optimal because CloudTrail logs analysis using Athena is not a near real
time solution. Athena queries have to be manually run or scheduled using a cron
expression. Athena also does not provide remediation actions, so a custom Lambda
function has to be developed and invoked. Step Functions can be used to orchestrate the
query and remediation workflow, but it adds more complexity and cost. QuickSight
dashboard can be used for tracking, but it does not provide a comprehensive view of the
security posture of the AWS accounts and resources.
Option D is not optimal because CloudTrail logs analysis using CloudWatch Logs is not a
near real time solution. CloudWatch Logs filters have to be manually created or updated for each resource type and configuration change. CloudWatch Logs also does not provide
remediation actions, so acustom Lambda function has to be developed and invoked.
EventBridge can be used to trigger the Lambda function, but it adds more complexity and
cost. OpenSearch Service dashboard can be used for tracking, but it does not provide a
comprehensive view of the security posture of the AWS accounts and resources.
A growing company manages more than 50 accounts in an organization in AWS
Organizations. The company has configured its applications to send logs to Amazon
CloudWatch Logs.
A DevOps engineer needs to aggregate logs so that the company can quickly search the
logs to respond to future security incidents. The DevOps engineer has created a new AWS
account for centralized monitoring.
Which combination of steps should the DevOps engineer take to make the application logs
searchable from the monitoring account? (Select THREE.)
A. In the monitoring account, download an AWS CloudFormation template from CloudWatch to use in Organizations. Use CloudFormation StackSets in the organization's management account to deploy the CloudFormation template to the entire organization.
B. Create an AWS CloudFormation template that defines an IAM role. Configure the role to allow logs-amazonaws.com to perform the logs:Link action if the aws:ResourceAccount property is equal to the monitoring account ID. Use CloudFormation StackSets in the organization's management account to deploy the CloudFormation template to the entire organization.
C. Create an IAM role in the monitoring account. Attach a trust policy that allows logs.amazonaws.com to perform the iam:CreateSink action if the aws:PrincipalOrgld property is equal to the organization ID.
D. In the organization's management account, enable the logging policies for the organization.
E. use CloudWatch Observability Access Manager in the monitoring account to create a sink. Allow logs to be shared with the monitoring account. Configure the monitoring account data selection to view the Observability data from the organization ID.
F. In the monitoring account, attach the CloudWatchLogsReadOnlyAccess AWS managed policy to an IAM role that can be assumed to search the logs.
Explanation:
To aggregate logs from multiple accounts in an organization, the DevOps engineer
needs to create a cross-account subscription1 that allows the monitoring account
to receive log events from the sharing accounts.
To enable cross-account subscription, the DevOps engineer needs to create an
IAM role in each sharing account that grants permission to CloudWatch Logs to
link the log groups to the destination in the monitoring account2. This can be done
using a CloudFormation template and StackSets3 to deploy the role to all accounts
in the organization.
The DevOps engineer also needs to create an IAM role in the monitoring account
that allows CloudWatch Logs to create a sink for receiving log events from
otheraccounts4. The role must have a trust policy that specifies the organization ID
as a condition.
Finally, the DevOps engineer needs to attach the
CloudWatchLogsReadOnlyAccess policy5 to an IAM role in the monitoring account
that can be used to search the logs from the cross-account subscription.
A DevOps team is merging code revisions for an application that uses an Amazon RDS
Multi-AZ DB cluster for its production database. The DevOps team uses continuous
integration to periodically verify that the application works. The DevOps team needs to test
the changes before the changes are deployed to the production database.
Which solution will meet these requirements'?
A. Use a buildspec file in AWS CodeBuild to restore the DB cluster from a snapshot of the production database run integration tests, and drop the restored database after verification.
B. Deploy the application to production. Configure an audit log of data control language (DCL) operations to capture database activities to perform if verification fails.
C. Create a snapshot of the DB duster before deploying the application Use the Update requires Replacement property on the DB instance in AWS CloudFormation to deploy the application and apply the changes.
D. Ensure that the DB cluster is a Multi-AZ deployment. Deploy the application with the updates. Fail over to the standby instance if verification fails.
Explanation: This solution will meet the requirements because it will create a temporary copy of the production database using a snapshot, run the integration tests on the copy, and delete the copy after the tests are done. This way, the production database will not be affected by the code revisions, and the DevOps team can test the changes before deploying them to production. A buildspec file is a YAML file that contains the commands and settings that CodeBuild uses to run a build1. The buildspecfile can specify the steps to restore the DB cluster from a snapshot, run the integration tests, and drop the restored database2
A company's organization in AWS Organizations has a single OU. The company runs Amazon EC2 instances in the OU accounts. The company needs to limit the use of each EC2 instance's credentials to the specific EC2 instance that the credential is assigned to. A DevOps engineer must configure security for the EC2 instances. Which solution will meet these requirements?
A. Create an SCP that specifies the VPC CIDR block. Configure the SCP to check whether the value of the aws:VpcSourcelp condition key is in the specified block. In the same SCP check, check whether the values of the aws:EC2lnstanceSourcePrivatelPv4 and aws:SourceVpc condition keys are the same. Deny access if either condition is false. Apply the SCP to the OU.
B. Create an SCP that checks whether the values of the aws:EC2lnstanceSourceVPC and aws:SourceVpc condition keys are the same. Deny access if the values are not the same. In the same SCP check, check whether the values of the aws:EC2lnstanceSourcePrivatelPv4 andawsVpcSourcelp condition keys are the same. Deny access if the values are not the same. Apply the SCP to the OU.
C. Create an SCP that includes a list of acceptable VPC values and checks whether the value of the aws:SourceVpc condition key is in the list. In the same SCP check, define a list of acceptable IP address values and check whether the value of the aws:VpcSourcelp condition key is in the list. Deny access if either condition is false. Apply the SCP to each account in the organization.
D. Create an SCP that checks whether the values of the aws:EC2lnstanceSourceVPC and
aws:VpcSourcelp condition keys are the same. Deny access if the values are not the same.
In the same SCP check, check whether the values of the aws:EC2lnstanceSourcePrivatolPv4 and aws:SourceVpc condition keys are the same.
Deny access if the values are not the same. Apply the SCP to each account in the
organization.
Explanation: Step 1: Using Service Control Policies (SCPs) for EC2 SecurityTo limit the use of EC2 instance credentials to the specific EC2 instance they are assigned to, you can create a Service Control Policy (SCP) that verifies specific conditions, such as whether the EC2 instance's source VPC and private IP match expected values. Step 2: Further Validation with Private IPsThe SCP should also verify that the EC2 instance's private IP matches the IP range specified for the VPC. If the instance's private IP does not match, access should be denied.
A company uses an organization in AWS Organizations that has all features enabled. The
company uses AWS Backup in a primary account and uses an AWS Key Management
Service (AWS KMS) key to encrypt the backups.
The company needs to automate a cross-account backup of the resources that AWS
Backup backs up in the primary account. The company configures cross-account backup in
the Organizations management account. The company creates a new AWS account in the
organization and configures an AWS Backup backup vault in the new account. The
company creates a KMS key in the new account to encrypt the backups. Finally, the
company configures a new backup plan in the primary account. The destination for the new
backup plan is the backup vault in the new account.
When the AWS Backup job in the primary account is invoked, the job creates backups in
the primary account. However, the backups are not copied to the new account's backup
vault.
Which combination of steps must the company take so that backups can be copied to the
new account's backup vault? (Select TWO.)
A. Edit the backup vault access policy in the new account to allow access to the primary account.
B. Edit the backup vault access policy in the primary account to allow access to the new account.
C. Edit the backup vault access policy in the primary account to allow access to the KMS key in the new account.
D. Edit the key policy of the KMS key in the primary account to share the key with the new account.
E. Edit the key policy of the KMS key in the new account to share the key with the primary account.
Explanation: To enable cross-account backup, the company needs to grant permissions to both the backup vault and the KMS key in the destination account. The backup vault access policy in the destination account must allow the primary account to copy backups into the vault. The key policy of the KMS key in the destination account must allow the primary account to use the key to encrypt and decrypt the backups. These steps are described in the AWS documentation12. Therefore, the correct answer is A and E.
| Page 4 out of 21 Pages |
| Previous |