- Email support@dumps4free.com
A company has 20 service learns Each service team is responsible for its own
microservice. Each service team uses a separate AWS account for its microservice and a
VPC with the 192 168 0 0/22 CIDR block. The company manages the AWS accounts with
AWS Organizations.
Each service team hosts its microservice on multiple Amazon EC2 instances behind an
Application Load Balancer. The microservices communicate with each other across the
public internet. The company's security team has issued a new guideline that all
communication between microservices must use HTTPS over private network connections
and cannot traverse the public internet.
A DevOps engineer must implement a solution that fulfills these obligations and minimizes
the number of changes for each service team.
Which solution will meet these requirements?
A. Create a new AWS account in AWS Organizations Create a VPC in this account and use AWS Resource Access Manager to share the private subnets of this VPC with the organization Instruct the service teams to launch a new. Network Load Balancer (NLB) and EC2 instances that use the shared private subnets Use the NLB DNS names for communication between microservices.
B. Create a Network Load Balancer (NLB) in each of the microservice VPCs Use AWS PrivateLink to create VPC endpoints in each AWS account for the NLBs Create subscriptions to each VPC endpoint in each of the other AWS accounts Use the VPC endpoint DNS names for communication between microservices.
C. Create a Network Load Balancer (NLB) in each of the microservice VPCs Create VPC peering connections between each of the microservice VPCs Update the route tables for each VPC to use the peering links Use the NLB DNS names for communication between microservices.
D. Create a new AWS account in AWS Organizations Create a transit gateway in this account and use AWS Resource Access Manager to share the transit gateway with the organization. In each of the microservice VPCs. create a transit gateway attachment tothe shared transit gateway Update the route tables of each VPC to use the transit gateway Create a Network Load Balancer (NLB) in each of the microservice VPCs Use the NLB DNS names for communication between microservices.
A company uses AWS Organizations to manage its AWS accounts. A DevOps engineer
must ensure that all users who access the AWS Management Console are authenticated
through the company's corporate identity provider (IdP).
Which combination of steps will meet these requirements? (Select TWO.)
A. Use Amazon GuardDuty with a delegated administrator account. Use GuardDuty to enforce denial of 1AM user logins
B. Use AWS 1AM Identity Center to configure identity federation with SAML 2.0.
C. Create a permissions boundary in AWS 1AM Identity Center to deny password logins for 1AM users.
D. Create 1AM groups in the Organizations management account to apply consistent permissions for all 1AM users.
E. Create an SCP in Organizations to deny password creation for 1AM users.
Explanation:
Step 1: Using AWS IAM Identity Center for SAML-based Identity FederationTo ensure
that all users accessing the AWS Management Console are authenticated via the corporate
identity provider (IdP), the best approach is to set up identity federation with AWS IAM
Identity Center (formerly AWS SSO) using SAML 2.0.
Action:Use AWS IAM Identity Center to configure identity federation with the
corporate IdP that supports SAML 2.0.
Why:SAML 2.0 integration enables single sign-on (SSO) for users, allowing them
to authenticate through the corporate IdP and gain access to AWS resources.
Reference:AWS documentation onIAM Identity Center and SAML Federation.
This corresponds toOption B: Use AWS IAM Identity Center to configure identity
federation with SAML 2.0.
Step 2: Creating an SCP to Deny Password Logins for IAM UsersTo enforce that IAM
users do not create passwords or access the Management Console directlywithout going
through the corporate IdP, you can create a Service Control Policy (SCP) in AWS
Organizations that denies password creation for IAM users.
Action:Create an SCP that denies password creation for IAM users.
Why:This ensures that users cannot set passwords for their IAM user accounts, forcing
them to use federated access through the corporate IdP for console login.
Reference:AWS documentation onService Control Policies.
This corresponds toOption E: Create an SCP in Organizations to deny password
creation for IAM users.
A company uses AWS and has a VPC that contains critical compute infrastructure with
predictable traffic patterns. The company has configured VPC flow logs that are published
to a log group in Amazon CloudWatch Logs.
The company's DevOps team needs to configure a monitoring solution for the VPC flow
logs to identify anomalies in network traffic to the VPC over time. If the monitoring solution
detects an anomaly, the company needs the ability to initiate a response to the anomaly.
How should the DevOps team configure the monitoring solution to meet these
requirements?
A. Create an Amazon Kinesis data stream. Subscribe the log group to the data stream. Configure Amazon Kinesis Data Analytics to detect log anomalies in the data stream. Create an AWS Lambda function to use as the output of the data stream. Configure the Lambda function to write to the default Amazon EventBridge event bus in the event of an anomaly finding.
B. Create an Amazon Kinesis Data Firehose delivery stream that delivers events to an Amazon S3 bucket. Subscribe the log group to the delivery stream. Configure Amazon Lookout for Metrics to monitor the data in the S3 bucket for anomalies. Create an AWS Lambda function to run in response to Lookout for Metrics anomaly findings. Configure the Lambda function to publish to the default Amazon EventBridge event bus.
C. Create an AWS Lambda function to detect anomalies. Configure the Lambda function to publish an event to the default Amazon EventBridge event bus if the Lambda function detects an anomaly. Subscribe the Lambda function to the log group.
D. Create an Amazon Kinesis data stream. Subscribe the log group to the data stream. Create an AWS Lambda function to detect log anomalies. Configure the Lambda function to write to the default Amazon EventBridge event bus if the Lambda function detects an anomaly. Set the Lambda function as the processor for the data stream.
Explanation: To meet the requirements, the DevOps team needs to configure a monitoring solution for the VPC flow logs that can detect anomalies in network traffic over time and initiate a response to the anomaly. The DevOps team can use Amazon Kinesis Data Streams to ingest and process streaming data from CloudWatch Logs. The DevOps team can subscribe the log group to a Kinesis data stream, which will deliver log events from CloudWatch Logs to Kinesis Data Streams in near real-time. The DevOps team can then create an AWS Lambda function to detect log anomalies using machine learning or statistical methods. The Lambda function can be set as a processor for the data stream, which means that it will process each record from the stream before sending it to downstream applications or destinations. The Lambda function can also write to the default Amazon EventBridge event bus if it detects an anomaly, which will allow other AWS services or custom applications to respond to the anomaly event.
A company has a legacy application A DevOps engineer needs to automate the process of
building the deployable artifact for the legacy application. The solution must store the
deployable artifact in an existing Amazon S3 bucket for future deployments to reference
Which solution will meet these requirements in the MOST operationally efficient way?
A. Create a custom Docker image that contains all the dependencies tor the legacy application Store the custom Docker image in a new Amazon Elastic Container Registry (Amazon ECR) repository Configure a new AWS CodeBuild project to use the custom Docker image to build the deployable artifact and to save the artifact to the S3 bucket.
B. Launch a new Amazon EC2 instance Install all the dependencies (or the legacy application on the EC2 instance Use the EC2 instance to build the deployable artifact and to save the artifact to the S3 bucket.
C. Create a custom EC2 Image Builder image Install all the dependencies for the legacy application on the image Launch a new Amazon EC2 instance from the image Use the new EC2 instance to build the deployable artifact and to save the artifact to the S3 bucket.
D. Create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with an AWS Fargate profile that runs in multiple Availability Zones Create a custom Docker image that contains all the dependencies for the legacy application Store the custom Docker image in a new Amazon Elastic Container Registry (Amazon ECR) repository Use the custom Docker image inside the EKS cluster to build the deployable artifact and to save the artifact to the S3 bucket.
Explanation: This approach is the most operationally efficient because it leverages the benefits of containerization, such as isolation and reproducibility, as well as AWS managed services. AWS CodeBuild is a fully managed build service that can compile your source code, run tests, and produce deployable software packages. By using a custom Docker image that includes all dependencies, you can ensure that the environment in which your code is built is consistent. Using Amazon ECR to store Docker images lets you easily deploy the images to any environment. Also, you can directly upload the build artifacts to Amazon S3 from AWS CodeBuild, which is beneficial for version control and archival purposes.
A company has an AWS CodePipeline pipeline that is configured with an Amazon S3
bucket in the eu-west-1 Region. The pipeline deploys an AWS Lambda application to the
same Region. The pipeline consists of an AWS CodeBuild project build action and an AWS
CloudFormation deploy action.
The CodeBuild project uses the aws cloudformation package AWS CLI command to build
an artifact that contains the Lambda function code’s .zip file and the CloudFormation
template. The CloudFormation deploy action references the CloudFormation template from
the output artifact of the CodeBuild project’s build action.
The company wants to also deploy the Lambda application to the us-east-1 Region by
using the pipeline in eu-west-1. A DevOps engineer has already updated the CodeBuild
project to use the aws cloudformation package command to produce an additional output
artifact for us-east-1.
Which combination of additional steps should the DevOps engineer take to meet these
requirements? (Choose two.)
A. Modify the CloudFormation template to include a parameter for the Lambda function code’s zip file location. Create a new CloudFormation deploy action for us-east-1 in thepipeline. Configure the new deploy action to pass in the us-east-1 artifact location as a parameter override.
B. Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the new deploy action to use the CloudFormation template from the us-east-1 output artifact.
C. Create an S3 bucket in us-east-1. Configure the S3 bucket policy to allow CodePipeline to have read and write access.
D. Create an S3 bucket in us-east-1. Configure S3 Cross-Region Replication (CRR) from the S3 bucket in eu-west-1 to the S3 bucket in us-east-1.
E. Modify the pipeline to include the S3 bucket for us-east-1 as an artifact store. Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the new deploy action to use the CloudFormation template from the us-east-1 output artifact.
Explanation: A. The CloudFormation template should be modified to include a parameter that indicates the location of the .zip file containing the Lambda function's code. This allows the CloudFormation deploy action to use the correct artifact depending on the region. This is critical because Lambda functions need to reference their code artifacts from the same region they are being deployed in. B. You would also need to create a new CloudFormation deploy action for the us-east-1 Region within the pipeline. This action should be configured to use the CloudFormation template from the artifact that was specifically created for useast- 1.
| Page 3 out of 50 Pages |
| Previous |