- Email support@dumps4free.com
A company runs its container workloads in AWS App Runner. A DevOps engineer
manages the company's container repository in Amazon Elastic Container Registry
(Amazon ECR).
The DevOps engineer must implement a solution that continuously monitors the container repository. The solution must create a new container image when the solution detects an
operating system vulnerability or language package vulnerability.
Which solution will meet these requirements?
A. Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Turn on enhanced scanning on the ECR repository. Create an Amazon EventBridge rule to capture an Inspector2 finding event. Use the event to invoke the image pipeline. Re-upload the container to the repository.
B. Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Enable Amazon GuardDuty Malware Protection on the container workload. Create an Amazon EventBridge rule to capture a GuardDuty finding event. Use the event to invoke the image pipeline.
C. Create an AWS CodeBuild project to create a container image. Use Amazon ECR as the target repository. Turn on basic scanning on the repository. Create an Amazon EventBridge rule to capture an ECR image action event. Use the event to invoke the CodeBuild project. Re-upload the container to the repository.
D. Create an AWS CodeBuild project to create a container image. Use Amazon ECR as the target repository. Configure AWS Systems Manager Compliance to scan all managed nodes. Create an Amazon EventBridge rule to capture a configuration compliance state change event. Use the event to invoke the CodeBuild project.
Explanation:
The solution that meets the requirements is to use EC2 Image Builder to create a container
image pipeline, use Amazon ECR as the target repository, turn on enhanced scanning on
the ECR repository, create an Amazon EventBridge rule to capture an Inspector2 finding
event, and use the event to invoke the image pipeline. Re-upload the container to the
repository.
This solution will continuously monitor the container repository for vulnerabilities using
enhanced scanning, which is a feature of Amazon ECR that provides detailed information
and guidance on how to fix security issues found in your container images. Enhanced
scanning uses Inspector2, a security assessment service that integrates with Amazon ECR
and generates findings for any vulnerabilities detected in your images. You can use
Amazon EventBridge to create a rule that triggers an action when an Inspector2 finding
event occurs. The action can be to invoke an EC2 Image Builder pipeline, which is a
service that automates the creation of container images. The pipeline can use the latest
patches and updates to build a new container image and upload it to the same ECR
repository, replacing the vulnerable image.
The other options are not correct because they do not meet all the requirements or use
services that are not relevant for the scenario.
Option B is not correct because it uses Amazon GuardDuty Malware Protection, which is a
feature of GuardDuty that detects malicious activity and unauthorized behavior on your
AWS accounts and resources. GuardDuty does not scan container images for
vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.
Option C is not correct because it uses basic scanning on the ECR repository, which only
provides a summary of the vulnerabilities found in your container images. Basic scanning
does not use Inspector2 or generate findings that can be captured by Amazon
EventBridge. Moreover, basic scanning does not provide guidance on how to fix the
vulnerabilities.
Option D is not correct because it uses AWS Systems Manager Compliance, which is a
feature of Systems Manager that helps you monitor and manage the compliance status of
your AWS resources based on AWS Config rules and AWS Security Hub standards.
Systems Manager Compliance does not scan container images for vulnerabilities, nor does
it integrate with Amazon ECR or EC2 Image Builder.
A development team is using AWS CodeCommit to version control application code and
AWS CodePipeline to orchestrate software deployments. The team has decided to use a
remote main branch as the trigger for the pipeline to integrate code changes. A developer
has pushed code changes to the CodeCommit repository, but noticed that the pipeline had
no reaction, even after 10 minutes.
Which of the following actions should be taken to troubleshoot this issue?
A. Check that an Amazon EventBridge rule has been created for the main branch to trigger the pipeline.
B. Check that the CodePipeline service role has permission to access the CodeCommit repository.
C. Check that the developer’s IAM role has permission to push to the CodeCommit repository.
D. Check to see if the pipeline failed to start because of CodeCommit errors in Amazon CloudWatch Logs.
Explanation: When you create a pipeline from CodePipeline during the step-by-step it
creates a CloudWatch Event rule for a given branch and repo like this:
{
"source": [
"aws.codecommit"
],
"detail-type": [
"CodeCommit Repository State Change"
],
"resources": [
"arn:aws:codecommit:us-east-1:xxxxx:repo-name"
],
"detail": {
"event": [
"referenceCreated",
"referenceUpdated"
],
"referenceType": [
"branch"
],
"referenceName": [
"master"
]
}
}
To run an application, a DevOps engineer launches an Amazon EC2 instance with public
IP addresses in a public subnet. A user data script obtains the application artifacts and
installs them on the instances upon launch. A change to the security classification of the
application now requires the instances to run with no access to the internet. While the
instances launch successfully and show as healthy, the application does not seem to be
installed.
Which of the following should successfully install the application while complying with the
new rule?
A. Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
B. Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
D. Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.
Explanation: EC2 instances running in private subnets of a VPC can now have controlled
access to S3 buckets, objects, and API functions that are in the same region as the VPC.
You can use an S3 bucket policy to indicate which VPCs and which VPC Endpoints have
access to your S3 buckets
A company is using AWS CodePipeline to deploy an application. According to a new
guideline, a member of the company's security team must sign off on any application
changes before the changes are deployed into production. The approval must be recorded
and retained.
Which combination of actions will meet these requirements? (Select TWO.)
A. Configure CodePipeline to write actions to Amazon CloudWatch Logs.
B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of each pipeline stage.
C. Create an AWS CloudTrail trail to deliver logs to Amazon S3.
D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval.
Create a policy that gives the security team access to manage CodePipeline custom
actions.
E. Create a CodePipeline manual approval action before the deployment step. Create a policy that grants the security team access to approve manual approval stages.
Explanation: To meet the new guideline for application deployment, the company can use a combination of AWS CodePipeline and AWS CloudTrail. A manual approval action in CodePipeline allows the security team to review and approve changes before they are deployed. This action can be configured to pause the pipeline until approval is granted, ensuring that no changes move to production without the necessary sign-off. Additionally, by creating an AWS CloudTrail trail, all actions taken withinCodePipeline, including approvals, are recorded and delivered to an Amazon S3 bucket. This provides an audit trail that can be retained for compliance and review purposes.
A company has chosen AWS to host a new application. The company needs to implement
a multi-account strategy. A DevOps engineer creates a new AWS account and an
organization in AWS Organizations. The DevOps engineer also creates the OU structure
for the organization and sets up a landing zone by using AWS Control Tower.
The DevOps engineer must implement a solution that automatically deploys resources for
new accounts that users create through AWS Control Tower Account Factory. When a user
creates a new account, the solution must apply AWS CloudFormation templates and SCPs
that are customized for the OU or the account to automatically deploy all the resources that
are attached to the account. All the OUs are enrolled in AWS Control Tower.
Which solution will meet these requirements in the MOST automated way?
A. Use AWS Service Catalog with AWS Control Tower. Create portfolios and products in AWS Service Catalog. Grant granular permissions to provision these resources. Deploy SCPs by using the AWS CLI and JSON documents.
B. Deploy CloudFormation stack sets by using the required templates. Enable automatic deployment. Deploy stack instances to the required accounts. Deploy a CloudFormation stack set to the organization’s management account to deploy SCPs.
C. Create an Amazon EventBridge rule to detect the CreateManagedAccount event.
Configure AWS Service Catalog as the target to deploy resources to any new accounts.
Deploy SCPs by using the AWS CLI and JSON documents.
D. Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.
Explanation: The CfCT solution is designed for the exact purpose stated in the question. It
extends the capabilities of AWS Control Tower by providing you with a way to automate
resource provisioning and apply custom configurations across all AWS accounts created in
the Control Tower environment. This enables the company to implement additional account
customizations when new accounts are provisioned via the Control Tower Account Factory.
The CloudFormation templates and SCPs can be added to a CodeCommit repository and
will be automatically deployed to new accounts when they are created. This provides a
highly automated solution that does not require manual intervention to deploy resources
and SCPs to new accounts.
| Page 7 out of 50 Pages |
| Previous |