A DevOps engineer needs to back up sensitive Amazon S3 objects that are stored within
an S3 bucket with a private bucket policy using S3 cross-Region replication functionality.
The objects need to be copied to a target bucket in a different AWS Region and account.
Which combination of actions should be performed to enable this replication? (Choose
three.)
A. Create a replication IAM role in the source account
B. Create a replication I AM role in the target account.
C. Add statements to the source bucket policy allowing the replication IAM role to replicate objects.
D. Add statements to the target bucket policy allowing the replication IAM role to replicate objects.
E. Create a replication rule in the source bucket to enable the replication.
F. Create a replication rule in the target bucket to enable the replication.
Explanation: S3 cross-Region replication (CRR) automatically replicates data between buckets across different AWS Regions. To enable CRR, you need to add a replication configuration to your source bucket that specifies the destination bucket, the IAM role, and the encryption type (optional). You also need to grant permissions to the IAM role to perform replication actions on both the source and destination buckets. Additionally, you can choose the destination storage class and enable additional replication options such as S3 Replication Time Control (S3 RTC) or S3 Batch Replication.
A company wants to deploy a workload on several hundred Amazon EC2 instances. The
company will provision the EC2 instances in an Auto Scaling group by using a launch template.
The workload will pull files from an Amazon S3 bucket, process the data, and put the
results into a different S3 bucket. The EC2 instances must haveleast-privilege permissions
and must use temporary security credentials.
Which combination of steps will meet these requirements? (Select TWO.)
A. Create an IAM role that has the appropriate permissions for S3 buckets. Add the IAM role to an instance profile.
B. Update the launch template to include the IAM instance profile.
C. Create an IAM user that has the appropriate permissions for Amazon S3. Generate a secret key and token.
D. Create a trust anchor and profile. Attach the IAM role to the profile.
E. Update the launch template. Modify the user data to use the new secret key and token.
Explanation:
To meet the requirements of deploying a workload on several hundred EC2 instances with
least-privilege permissions and temporary security credentials, the company should use an
IAM role and an instance profile. An IAM role is a way to grant permissions to an entity that
you trust, such as an EC2 instance. An instance profile is a container for an IAM role that
you can use to pass role information to an EC2 instance when the instance starts. By using
an IAM role and an instance profile, the EC2 instances can automatically receive temporary
security credentials from the AWS Security Token Service (STS) and use them to access
the S3 buckets. This way, the company does not need to manage or rotate any long-term
credentials, such as IAM users or access keys.
To use an IAM role and an instance profile, the company should create an IAM role that
has the appropriate permissions for S3 buckets. The permissions should allow the EC2
instances to read from the source S3 bucket and write to the destination S3 bucket. The
company should also create a trust policy for the IAM role that specifies that EC2 is allowed
to assume the role. Then, the company should add the IAM role to an instance profile. An
instance profile can have only one IAM role, so the company does not need to create
multiple roles or profiles for this scenario.
Next, the company should update the launch template to include the IAM instance profile. A
launch template is a way to save launch parameters for EC2 instances, such as the
instance type, security group, user data, and IAM instance profile. By using a launch
template, the company can ensure that all EC2 instances in the Auto Scaling group have consistent configuration and permissions. The company should specify the name or ARN of
the IAM instance profile in the launch template. This way, when theAuto Scaling group
launches new EC2 instances based on the launch template, they will automatically receive
the IAM role and its permissions through the instance profile.
The other options are not correct because they do not meet the requirements or follow best
practices. Creating an IAM user and generating a secret key and token is not a good option
because it involves managing long-term credentials that need to be rotated regularly.
Moreover, embedding credentials in user data is not secure because user data is visible to
anyone who can describe the EC2 instance. Creating a trust anchor and profile is not a
valid option because trust anchors are used for certificate-based authentication, not for IAM
roles or instance profiles. Modifying user data to use a new secret key and token is also not
a good option because it requires updating user data every time the credentials change,
which is not scalable or efficient.
A company is using AWS CodePipeline to automate its release pipeline. AWS CodeDeploy
is being used in the pipeline to deploy an application to Amazon Elastic Container Service
(Amazon ECS) using the blue/green deployment model. The company wants to implement
scripts to test the green version of the application before shifting traffic. These scripts will
complete in 5 minutes or less. If errors are discovered during these tests, the application
must be rolled back.
Which strategy will meet these requirements?
A. Add a stage to the CodePipeline pipeline between the source and deploy stages. Use AWS CodeBuild to create a runtime environment and build commands in the buildspec file to invoke test scripts. If errors are found, use the aws deploy stop-deployment command to stop the deployment.
B. Add a stage to the CodePipeline pipeline between the source and deploy stages. Use this stage to invoke an AWS Lambda function that will run the test scripts. If errors are found, use the aws deploy stop-deployment command to stop the deployment.
C. Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTestTraffic lifecycle event to invoke an AWS Lambda function to run the test scripts. If errors are found, exit the Lambda function with an error to initiate rollback.
D. Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTraffic lifecycle event to invoke the test scripts. If errors are found, use the aws deploy stop-deployment CLI command to stop the deployment.
A DevOps engineer is deploying a new version of a company's application in an AWS
CodeDeploy deployment group associated with its Amazon EC2 instances. After some
time, the deployment fails. The engineer realizes that all the events associated with the
specific deployment ID are in a Skipped status and code was not deployed in the instances
associated with the deployment group.
What are valid reasons for this failure? (Select TWO.).
A. The networking configuration does not allow the EC2 instances to reach the internet via a NAT gateway or internet gateway and the CodeDeploy endpoint cannot be reached.
B. The IAM user who triggered the application deployment does not have permission to interact with the CodeDeploy endpoint.
C. The target EC2 instances were not properly registered with the CodeDeploy endpoint.
D. An instance profile with proper permissions was not attached to the target EC2 instances.
E. The appspec. yml file was not included in the application revision.
A company has an on-premises application that is written in Go. A DevOps engineer must
move the application to AWS. The company's development team wants to enable blue/green deployments and perform A/B testing.
Which solution will meet these requirements?
A. Deploy the application on an Amazon EC2 instance, and create an AMI of the instance.
Use the AMI to create an automatic scaling launch configuration that is used in an Auto
Scaling group. Use Elastic Load Balancing to distribute traffic. Whenchanges are made to
the application, a new AMI will be created, which will initiate an EC2 instance refresh.
B. Use Amazon Lightsail to deploy the application. Store the application in a zipped format in an Amazon S3 bucket. Use this zipped version to deploy new versions of the application to Lightsail. Use Lightsail deployment options to manage the deployment.
C. Use AWS CodeArtifact to store the application code. Use AWS CodeDeploy to deploy the application to a fleet of Amazon EC2 instances. Use Elastic Load Balancing to distribute the traffic to the EC2 instances. When making changes to the application, upload a new version to CodeArtifact and create a new CodeDeploy deployment.
D. Use AWS Elastic Beanstalk to host the application. Store a zipped version of the application in Amazon S3. Use that location to deploy new versions of the application. Use Elastic Beanstalk to manage the deployment options.
A company has deployed a critical application in two AWS Regions. The application uses
an Application Load Balancer (ALB) in both Regions. The company has Amazon Route 53
alias DNS records for both ALBs.
The company uses Amazon Route 53 Application Recovery Controller to ensure that the
application can fail over between the two Regions. The Route 53 ARC configuration
includes a routing control for both Regions. The company uses Route 53 ARC to perform
quarterly disaster recovery (DR) tests.
During the most recent DR test, a DevOps engineer accidentally turned off both routing
controls. The company needs to ensure that at least one routing control is turned on at all
times.
Which solution will meet these requirements?
A. In Route 53 ARC. create a new assertion safety rule. Apply the assertion safety rule to the two routing controls. Configure the rule with the ATLEAST type with a threshold of 1.
B. In Route 53 ARC, create a new gating safety rule. Apply the assertion safety rule to the two routing controls. Configure the rule with the OR type with a threshold of 1.
C. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS: Route53: HealthCheck resource type. Specify the ARNs of the two routing controls as the target resource. Create a new readiness check for the resource set.
D. In Route 53 ARC, create a new resource set. Configure the resource set with an AWS: Route53RecoveryReadiness: DNSTargetResource resource type. Add the domain names of the two Route 53 alias DNS records as the target resource. Create a new readiness check for the resource set.
Explanation: The correct solution is to create a new assertion safety rule in Route 53 ARC and apply it to the two routing controls. An assertion safety rule is a type of safety rule that ensures that a minimum number of routing controls are always enabled. The ATLEAST type of assertion safety rule specifies the minimum number of routing controls that must be enabled for the rule to evaluate as healthy. By setting the threshold to 1, the rule ensures that at least one routing control is always turned on. This prevents the scenario where both routing controls are accidentally turned off and the application becomes unavailable in both Regions. The other solutions are incorrect because they do not use safety rules to prevent both routing controls from being turned off. A gating safety rule is a type of safety rule that prevents routing control state changes that violate the rule logic. The OR type of gating safety rule specifies that one or more routing controls must be enabled for the rule to evaluate as healthy. However, this rule does not prevent a user from turning off both routing controls manually. A resource set is a collection of resources that are tested for readiness by Route 53 ARC. A readiness check is a test that verifies that all the resources in a resource set are operational. However, these concepts are not related to routing control states or safety rules. Therefore, creating a new resource set and a new readiness check will not ensure that at least one routing control is turned on at all times.
A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of
an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load
balancing.
Occasionally, some application servers are being terminated after failing ELB HTTP health
checks. The developer would like to perform a root cause analysis on the issue, but before
being able to access application logs, the server is terminated.
How can log collection be automated?
A. Use Auto Scaling lifecycle hooks to put instances in a Pending:Wait state. Create an Amazon CloudWatch alarm for EC2 Instance Terminate Successful and trigger an AWS Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
B. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an AWS Config rule for EC2 Instance-terminate Lifecycle Action and trigger a step function that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
C. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon CloudWatch subscription filter for EC2 Instance Terminate Successful and trigger a CloudWatch agent that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
D. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon EventBridge rule for EC2 Instance-terminate Lifecycle Action and trigger an AWS Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
A DevOps engineer manages a company's Amazon Elastic Container Service (Amazon
ECS) cluster. The cluster runs on several Amazon EC2 instances that are in an Auto
Scaling group. The DevOps
engineer must implement a solution that logs and reviews all stopped tasks for errors.
Which solution will meet these requirements?
A. Create an Amazon EventBridge rule to capture task state changes. Send the event to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to investigate stopped tasks.
B. Configure tasks to write log data in the embedded metric format. Store the logs in Amazon CloudWatch Logs. Monitor the ContainerInstanceCount metric for changes.
C. Configure the EC2 instances to store logs in Amazon CloudWatch Logs. Create a CloudWatch Contributor Insights rule that uses the EC2 instance log data. Use the Contributor Insights rule to investigate stopped tasks.
D. Configure an EC2 Auto Scaling lifecycle hook for the EC2_INSTANCE_TERMINATING scale-in event. Write the SystemEventLog file to Amazon S3. Use Amazon Athena to query the log file for errors.
Explanation:
The best solution to log and review all stopped tasks for errors is to use Amazon
EventBridge and Amazon CloudWatch Logs. Amazon EventBridge allows the DevOps
engineer to create a rule that matches task state change events from Amazon ECS. The
rule can then send the event data to Amazon CloudWatch Logs as the target. Amazon
CloudWatch Logs can store and monitor the log data, and also provide CloudWatch Logs
Insights, a feature that enables the DevOps engineer to interactively search and analyze
the log data. Using CloudWatch Logs Insights, the DevOps engineer can filter and
aggregate the log data based on various fields, such as cluster, task, container, and
reason. This way, the DevOps engineer can easily identify and investigate the stopped
tasks and their errors.
The other options are not as effective or efficient as the solution in option A. Option B is not
suitable because the embedded metric format is designed for custom metrics, not for
logging task state changes. Option C is not feasible because the EC2 instances do not
store the task state change events in their logs. Option D is not relevant because
theEC2_INSTANCE_TERMINATING lifecycle hook is triggered when an EC2 instance is
terminated by the Auto Scaling group, not when a task is stopped by Amazon ECS.
A company uses AWS Organizations to manage multiple accounts. Information security
policies require that all unencrypted Amazon EBS volumes be marked as non-compliant. A
DevOps engineer needs to automatically deploy the solution and ensure that this
compliance check is always present.
Which solution will accomplish this?
A. Create an AWS CloudFormation template that defines an AWS Inspector rule to check whether EBS encryption is enabled. Save the template to an Amazon S3 bucket that has been shared with all accounts within the company. Update the account creation script pointing to the CloudFormation template in Amazon S3.
B. Create an AWS Config organizational rule to check whether EBS encryption is enabled and deploy the rule using the AWS CLI. Create and apply an SCP to prohibit stopping and deleting AWS Config across the organization.
C. Create an SCP in Organizations. Set the policy to prevent the launch of Amazon EC2 instances without encryption on the EBS volumes using a conditional expression. Apply the SCP to all AWS accounts. Use Amazon Athena to analyze the AWS CloudTrail output, looking for events that deny an ec2: RunInstances action.
D. Deploy an IAM role to all accounts from a single trusted account. Build a pipeline with AWS CodePipeline with a stage in AWS Lambda to assume the IAM role, and list all EBS volumes in the account. Publish a report to Amazon S3.
A company manages AWS accounts for application teams in AWS Control Tower.
Individual application teams are responsible for securing their respective AWS accounts.
A DevOps engineer needs to enable Amazon GuardDuty for all AWS accounts in which the
application teams have not already enabled GuardDuty. The DevOps engineer is using
AWS CloudFormation StackSets from the AWS Control Tower management account.
How should the DevOps engineer configure the CloudFormation template to prevent failure
during the StackSets deployment?
A. Create a CloudFormation custom resource that invokes an AWS Lambda function.
Configure the Lambda function to conditionally enable GuardDuty if GuardDuty is not
already enabled in the accounts.
B. Use the Conditions section of the CloudFormation template to enable GuardDuty in accounts where GuardDuty is not already enabled.
C. Use the CloudFormation Fn. GetAtt intrinsic function to check whether GuardDuty is already enabled If GuardDuty is not already enabled use the Resources section of the CloudFormation template to enable GuardDuty.
D. Manually discover the list of AWS account IDs where GuardDuty is not enabled Use the CloudFormation Fn: ImportValue intrinsic function to import the list of account IDs into the CloudFormation template to skip deployment for the listed AWS accounts.
Explanation: This solution will meet the requirements because it will use a CloudFormation custom resource to execute custom logic during the stack set operation. A custom resource is a resource that you define in your template and that is associated with an AWS Lambda function. The Lambda function runs whenever the custom resource is created, updated, or deleted, and can perform any actions that are supported by the AWS SDK. In this case, the Lambda function can use the GuardDuty API to check whether GuardDuty is already enabled in each target account, and if not, enable it. This way, the DevOps engineer can avoid deploying the stack set to accounts that already have GuardDuty enabled, and prevent failure during the deployment.
A company deploys its corporate infrastructure on AWS across multiple AWS Regions and
Availability Zones. The infrastructure is deployed on Amazon EC2 instances and connects
with AWS loT Greengrass devices. The company deploys additional resources on onpremises
servers that are located in the corporate headquarters.
The company wants to reduce the overhead involved in maintaining and updating its
resources. The company's DevOps team plans to use AWS Systems Manager to
implement automated management and application of patches. The DevOps team confirms
that Systems Manager is available in the Regions that the resources are deployed m
Systems Manager also is available in a Region near the corporate headquarters.
Which combination of steps must the DevOps team take to implement automated patch
and configuration management across the company's EC2 instances loT devices and onpremises
infrastructure? (Select THREE.)
A. Apply tags lo all the EC2 instances. AWS loT Greengrass devices, and on-premises servers. Use Systems Manager Session Manager to push patches to all the tagged devices.
B. Use Systems Manager Run Command to schedule patching for the EC2 instances AWS
loT Greengrass devices and on-premises servers.
C. Use Systems Manager Patch Manager to schedule patching loT the EC2 instances
AWS loT Greengrass devices and on-premises servers as a Systems Manager
maintenance window task.
C. Configure Amazon EventBridge to monitor Systems Manager Patch Manager for updates to patch baselines. Associate Systems Manager Run Command with the event lo initiate a patch action for all EC2 instances AWS loT Greengrass devices and on-premises servers.
D. Create an IAM instance profile for Systems Manager Attach the instance profile to all the EC2 instances in the AWS account. For the AWS loT Greengrass devices and on-premises servers create an IAM service role for Systems Manager.
E. Generate a managed-instance activation Use the Activation Code and Activation ID to install Systems Manager Agent (SSM Agent) on each server in the on-premises environment Update the AWS loT Greengrass IAM token exchange role Use the role to deploy SSM Agent on all the loT devices.
A company wants to ensure that their EC2 instances are secure. They want to be notified if
any new vulnerabilities are discovered on their instances and they also want an audit trail
of all login activities on the instances.
Which solution will meet these requirements'?
A. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.
B. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.
C. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instances Install the AWS Config daemon to capture system logs and view them in the AWS Config console.
D. Configure Amazon Inspector to detect vulnerabilities on the EC2 instances Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.
Explanation: This solution will meet the requirements because it will use Amazon Inspector to scan the EC2 instances for any new vulnerabilities and generate findings that can be viewed in the Inspector console or sent as notifications via Amazon Simple Notification Service (SNS). It will also use the Amazon CloudWatch Agent to collect and send system logs from the EC2 instances to Amazon CloudWatch Logs, where they can be stored, searched, and analyzed. The system logs can provide an audit trail of all login activities on the instances, as well as other useful information such as performance metrics, errors, and events.
| Page 6 out of 21 Pages |
| Previous |