- Email support@dumps4free.com
A company uses an organization in AWS Organizations to manage multiple AWS accounts
The company needs an automated process across all AWS accounts to isolate any
compromised Amazon EC2 instances when the instances receive a specific tag.
Which combination of steps will meet these requirements? (Select TWO.)
A. Use AWS Cloud Formation StackSets to deploy the Cloud Formation stacks in all AWS accounts.
B. Create an SCP that has a Deny statement for the ec2:" action with a condition of "aws:RequestTag/isolation": false.
C. Attach the SCP to the root of the organization.
D. Create an AWS Cloud Formation template that creates an EC2 instance rote that has no 1AM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the Cloud Formation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to add a network ACL. Sot up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
E. Create an AWS Cloud Formation template that creates an EC2 instance role that has no 1AM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
Explanation:
Step 1: Deploy the Automation Solution using CloudFormation StackSetsTo
automate the process across multiple AWS accounts within an organization, you can
useAWS CloudFormation StackSets. StackSets allow you to deploy CloudFormation
templates to multiple accounts within an organization, ensuring consistent infrastructure
and automation.
Action:Use AWS CloudFormation StackSets to deploy the necessary resources
across all AWS accounts. This includes deploying the Lambda function and
security groups that will isolate compromised EC2 instances.
Why:StackSets make it easy to deploy and manage resources across multiple
AWS accounts, reducing the operational overhead.
Reference:AWS documentation onCloudFormation StackSets.
This corresponds toOption A: Use AWS CloudFormation StackSets to deploy the
CloudFormation stacks in all AWS accounts.
Step 2: Isolate EC2 Instances using Lambda and Security GroupsWhen an EC2
instance is compromised, it needs to be isolated from the network. This can be done by
creating a security group with no inbound or outbound rules and attaching it to the instance.
A Lambda function can handle this process and can be triggered automatically by an
Amazon EventBridge rule when a specific tag (e.g., "isolation") is applied to the
compromised instance.
Action:Create a Lambda function that attaches an isolated security group (with no inbound
or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to
trigger the Lambda function when the "isolation" tag is applied to the instance.
Why:This automates the isolation process, ensuring that any compromised instances are
immediately cut off from the network, reducing the potential damage from the compromise.
Reference:AWS documentation onTag-based Event Handling.
This corresponds toOption E: Create an AWS CloudFormation template that creates
an EC2 instance role that has no IAM policies attached. Configure the template to
have a security group that has no inbound rules or outbound rules. Use the
CloudFormation template to create an AWS Lambda function that attaches the IAM
role to instances. Configure the Lambda function to replace any existing security
groups with the new security group. Set up an Amazon EventBridge rule to invoke
the Lambda function when a specific tag is applied to a compromised EC2 instance.
A company has enabled all features for its organization in AWS Organizations. The
organization contains 10 AWS accounts. The company has turned on AWS CloudTrail in all
the accounts. The company expects the number of AWS accounts in the organization to
increase to 500 during the next year. The company plans to use multiple OUs for these
accounts.
The company has enabled AWS Config in each existing AWS account in the organization.
A DevOps engineer must implement a solution that enables AWS Config automatically for
all future AWS accounts that are created in the organization.
Which solution will meet this requirement?
A. In the organization's management account, create an Amazon EventBridge rule that reacts to a CreateAccount API call. Configure the rule to invoke an AWS Lambda function that enables trusted access to AWS Config for the organization.
B. In the organization's management account, create an AWS CloudFormation stack set to enable AWS Config. Configure the stack set to deploy automatically when an account is created through Organizations.
C. In the organization's management account, create an SCP that allows the appropriate AWS Config API calls to enable AWS Config. Apply the SCP to the root-level OU.
D. In the organization's management account, create an Amazon EventBridge rule that reacts to a CreateAccount API call. Configure the rule to invoke an AWS Systems Manager Automation runbook to enable AWS Config for the account.
A company is examining its disaster recovery capability and wants the ability to switch over
its daily operations to a secondary AWS Region. The company uses AWS CodeCommit as
a source control tool in the primary Region.
A DevOps engineer must provide the capability for the company to develop code in the
secondary Region. If the company needs to use the secondary Region, developers can
add an additional remote URL to their local Git configuration.
Which solution will meet these requirements?
A. Create a CodeCommit repository in the secondary Region. Create an AWS CodeBuild project to perform a Git mirror operation of the primary Region's CodeCommit repository to the secondary Region's CodeCommit repository. Create an AWS Lambda function that invokes the CodeBuild project. Create an Amazon EventBridge rule that reacts to merge events in the primary Region's CodeCommit repository. Configure the EventBridge rule to invoke the Lambda function.
B. Create an Amazon S3 bucket in the secondary Region. Create an AWS Fargate task to perform a Git mirror operation of the primary Region's CodeCommit repository and copy the result to the S3 bucket. Create an AWS Lambda function that initiates the Fargate task. Create an Amazon EventBridge rule that reacts to merge events in the CodeCommit repository. Configure the EventBridge rule to invoke the Lambda function.
C. Create an AWS CodeArtifact repository in the secondary Region. Create an AWS CodePipeline pipeline that uses the primary Region's CodeCommit repository for the sourceaction. Create a Cross-Region stage in the pipeline that packages the CodeCommit repository contents and stores the contents in the CodeArtifact repository when a pull request is merged into the CodeCommit repository.
D. Create an AWS Cloud9 environment and a CodeCommit repository in the secondary Region. Configure the primary Region's CodeCommit repository as a remote repository in the AWS Cloud9 environment. Connect the secondary Region's CodeCommit repository to the AWS Cloud9 environment.
Explanation: The best solution to meet the disaster recovery capability and allow
developers to switch over to a secondary AWS Region for code development is option A.
This involves creating a CodeCommit repository in the secondary Region and setting up
an AWS CodeBuild project to perform a Git mirror operation of the primary Region’s
CodeCommit repository to the secondary Region’s repository. An AWS Lambda function is
then created to invoke the CodeBuild project. Additionally, an Amazon EventBridge
rule isconfigured to react to merge events in the primary Region’s CodeCommit repository
and invoke the Lambda function12. This setup ensures that the secondary Region’s
repository is always up-to-date with the primary repository, allowing for a seamless
transition in case of a disaster recovery event1.
A company's application teams use AWS CodeCommit repositories for their applications.
The application teams have repositories in multiple AWS
accounts. All accounts are in an organization in AWS Organizations.
Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configured
with an external IdP to assume a developer IAM role. The developer role allows the
application teams to use Git to work with the code in the repositories.
A security audit reveals that the application teams can modify the main branch in any
repository. A DevOps engineer must implement a solution that
allows the application teams to modify the main branch of only the repositories that they
manage.
Which combination of steps will meet these requirements? (Select THREE.)
A. Update the SAML assertion to pass the user's team name. Update the IAM role's trust policy to add an access-team session tag that has the team name.
B. Create an approval rule template for each team in the Organizations management account. Associate the template with all the repositories. Add the developer role ARN as an approver.
C. Create an approval rule template for each account. Associate the template with all repositories. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/accessteam}" condition to the approval rule template.
D. For each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.
E. Attach an SCP to the accounts. Include the following statement:
F. Create an IAM permissions boundary in each account. Include the following statement: A computer screen shot of text
A company requires its internal business teams to launch resources through pre-approved
AWS CloudFormation templates only. The security team requires automated monitoring
when resources drift from their expected state.
Which strategy should be used to meet these requirements?
A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.
B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.
C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.
D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.
Explanation:
The correct answer is C. Allowing users to deploy CloudFormation stacks using AWS
Service Catalog only and enforcing the use of a launch constraint is the best way to ensure
that the internal business teams launch resources through pre-approved CloudFormation
templates only. AWS Service Catalog is a service that enables organizations to create and
manage catalogs of IT services that are approved for use on AWS. A launch constraint is a
rule that specifies the role that AWS Service Catalog assumes when launching a product.
By using a launch constraint, the DevOps engineer can control the permissions that the
users have when launching a product. Using AWS Config rules to detect when resources
have drifted from their expected state is the best way to automate the monitoring of the resources. AWS Config is a service that enables you to assess, audit, and evaluate the
configurations of your AWS resources. AWS Config rules are custom or managed rules
that AWS Config uses to evaluate whether your AWS resources comply with your desired
configurations. By using AWS Config rules, the DevOps engineer can track the changes in
the resources and identify any non-compliant resources.
Option A is incorrect because allowing users to deploy CloudFormation stacks using a
CloudFormation service role only is not the best way to ensure that the internal business
teams launch resources through pre-approved CloudFormation templates only. A
CloudFormation service role is an IAM role that CloudFormation assumes to create,
update, or delete the stack resources. By using a CloudFormation service role, the DevOps
engineer can control the permissions that CloudFormation has when acting on the
resources, but not the permissions that the users have when launching a stack. Therefore,
option A does not prevent the users from launching resources that are not approved by the
company. Using CloudFormation drift detection to detect when resources have drifted from
their expected state is a valid way to monitor the resources, but it is not as automated and
scalable as using AWS Config rules. CloudFormation drift detection is a feature that
enables you to detect whether a stack’s actual configuration differs, or has drifted, from its
expected configuration. To use this feature, the DevOps engineer would need to manually
initiate a drift detection operation on the stack or the stack resources, and then view the
drift status and details in the CloudFormation console or API.
Option B is incorrect because allowing users to deploy CloudFormation stacks using a
CloudFormation service role only is not the best way to ensure that the internal business
teams launch resources through pre-approved CloudFormation templates only, as
explained in option A. Using AWS Config rules to detect when resources have drifted from
their expected state is a valid way to monitor the resources, as explained in option C.
Option D is incorrect because enforcing the use of a template constraint is not the best way
to ensure that the internal business teams launch resources through pre-approved
CloudFormation templates only. A template constraint is a rule that defines the values or
properties that users can specify when launching a product. By using a template constraint,
the DevOps engineer can control the parameters that the users can provide when
launching a product, but not the permissions that the users have when launching a product.
Therefore, option D does not prevent the users from launching resources that are not
approved by the company. Using Amazon EventBridge notifications to detect when
resources have drifted from their expected state is a less reliable and consistent solution
than using AWS Config rules. Amazon EventBridge is a service that enables you to
connect your applications with data from a variety of sources. Amazon EventBridge can
deliver a stream of real-time data from event sources, such as AWS services, and route
that data to targets, such as AWS Lambda functions. However, to use this solution, the
DevOps engineer would need to configure the event source, the event bus, the event rule,
and the event target for each resource type that needs to be monitored, which is more complex and error-prone than using AWS Config rules.
| Page 2 out of 50 Pages |
| Previous |