Amazon DOP-C02 Practice Test - Questions Answers, Page 22

* Add a Deploy Stage to the Pipeline, Configure Amazon ECS as the Action Provider:

By adding a deploy stage to the pipeline and configuring Amazon ECS as the action provider, the pipeline can automatically deploy the new container image to the ECS cluster.

This ensures that the service is updated with the new image tag, making the new version of the service endpoint reachable.

* Update the Image Build Pipeline Stage to Output an imagedefinitions.json File that Reference the New Image Tag:

The imagedefinitions.json file provides the necessary information about the container images and their tags for the ECS task definitions.

Updating the pipeline to output this file ensures that the correct image version is deployed.

Example imagedefinitions.json

[

{

'name': 'container-name',

'imageUri': '123456789012.dkr.ecr.region.amazonaws.com/my-repo:my-tag'

}

]

*

Reference: CodePipeline ECS Deployment

* Create an AWS Lambda Function that Runs Connectivity Checks and API Calls against the Service. Integrate the Lambda Function with CodePipeline by Using a Lambda Action Stage:

The Lambda function can perform the necessary integration tests by making connectivity checks and API calls to the deployed service endpoint.

Integrating this Lambda function into CodePipeline ensures that these tests are run automatically after deployment, providing near-real-time feedback on the new deployment's health.

Example Lambda function integration:

actions:

- name: TestService

actionTypeId:

category: Test

owner: AWS

provider: Lambda

runOrder: 2

configuration:

FunctionName: testServiceFunction

These steps ensure that the CI/CD workflow deploys the new container image to ECS, updates the image references, and performs integration tests, meeting the requirements with minimal management overhead.

Configure the Systems Manager Document to Use the aws-downloadContent Plugin with a sourceType of GitHub and sourcelnfo with the Repository Details:

The aws-downloadContent plugin can download content from various sources, including GitHub, which is necessary for bootstrapping the laptops with the code stored in the GitHub repository.

schemaVersion: '2.2'

description: 'Download and run bootstrap script from GitHub'

mainSteps:

- action: aws:downloadContent

name: downloadBootstrapScript

inputs:

sourceType: GitHub

sourceInfo: '{'owner':'my-org','repository':'my-repo','path':'scripts/bootstrap.sh','getOptions':'branch:main'}'

destinationPath: /tmp/bootstrap.sh

- action: aws:runShellScript

name: runBootstrapScript

inputs:

runCommand:

- chmod +x /tmp/bootstrap.sh

- /tmp/bootstrap.sh

This setup ensures that the bootstrap code is downloaded from GitHub and executed on the laptops using Systems Manager.

AWS Systems Manager aws-downloadContent Plugin

Running Commands Using Systems Manager

* Ensure that Amazon GuardDuty is Enabled:

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.

It can detect port scans and generate findings for these events.

* Create an Amazon CloudWatch Alarm for Detected EC2 and Port Scan Findings:

Configure GuardDuty to monitor for port scans and other threats.

Create a CloudWatch alarm that triggers when GuardDuty detects port scan activities.

* Connect the Alarm to the SNS Topic:

The CloudWatch alarm should be configured to send notifications to the SNS topic subscribed by the security team.

This setup ensures that the security team receives near-real-time notifications when a port scan is detected on the EC2 instances.

Example configuration steps:

Enable GuardDuty and ensure it is monitoring the relevant AWS accounts.

Create a CloudWatch alarm:

{

'AlarmName': 'GuardDutyPortScanAlarm',

'MetricName': 'ThreatIntelIndicator',

'Namespace': 'AWS/GuardDuty',

'Statistic': 'Sum',

'Dimensions': [

{

'Name': 'FindingType',

'Value': 'Recon:EC2/Portscan'

}

],

'Period': 300,

'EvaluationPeriods': 1,

'Threshold': 1,

'ComparisonOperator': 'GreaterThanOrEqualToThreshold',

'AlarmActions': ['arn:aws:sns:region:account-id:SecurityAlerts']

}

Amazon GuardDuty

Creating CloudWatch Alarms for GuardDuty Findings

* Configure AWS Systems Manager on Each Instance:

AWS Systems Manager provides a unified interface for managing AWS resources. Install the Systems Manager agent on each EC2 instance to enable inventory management and other features.

* Use AWS Systems Manager Inventory:

Systems Manager Inventory collects metadata about your instances and the software installed on them. This data includes information about applications, network configurations, and more.

Enable Systems Manager Inventory on all EC2 instances to gather detailed information about installed applications.

* Use Systems Manager Resource Data Sync to Synchronize and Store Findings in an Amazon S3 Bucket:

Resource Data Sync aggregates inventory data from multiple accounts and regions into a single S3 bucket, making it easier to query and analyze the data.

Configure Resource Data Sync to automatically transfer inventory data to an S3 bucket for centralized storage.

* Create an AWS Lambda Function that Runs When New Objects are Added to the S3 Bucket:

Use an S3 event to trigger a Lambda function whenever new inventory data is added to the S3 bucket.

The Lambda function can parse the inventory data and check for the presence of prohibited applications.

* Configure the Lambda Function to Identify Prohibited Applications:

The Lambda function should be programmed to scan the inventory data for any known prohibited applications and generate alerts or take appropriate actions if such applications are found.

Example Lambda function in Python

import json

import boto3

def lambda_handler(event, context):

s3 = boto3.client('s3')

bucket = event['Records'][0]['s3']['bucket']['name']

key = event['Records'][0]['s3']['object']['key']

response = s3.get_object(Bucket=bucket, Key=key)

inventory_data = json.loads(response['Body'].read().decode('utf-8'))

prohibited_apps = ['app1', 'app2']

for instance in inventory_data['Instances']:

for app in instance['Applications']:

if app['Name'] in prohibited_apps:

# Send notification or take action

print(f'Prohibited application found: {app['Name']} on instance {instance['InstanceId']}')

return {'statusCode': 200, 'body': json.dumps('Check completed')}

By leveraging AWS Systems Manager Inventory, Resource Data Sync, and Lambda, this solution provides an efficient and automated way to audit EC2 instances for prohibited applications.

AWS Systems Manager Inventory

AWS Systems Manager Resource Data Sync

S3 Event Notifications

AWS Lambda

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.

Allow polices are passing down to children ONLY if they don't have an allow policy.

Deny policies always pass down to children.

That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.

* Turn off cross-zone load balancing on the ALB's target group:

Cross-zone load balancing distributes traffic evenly across all registered targets in all enabled Availability Zones. Turning this off will ensure that each target group only handles requests from its respective Availability Zone.

To disable cross-zone load balancing:

Go to the Amazon EC2 console.

Navigate to Load Balancers and select the ALB.

Choose the Target Groups tab, select the target group, and then select the Group details tab.

Click on Edit and turn off Cross-zone load balancing.

* Use Amazon Route 53 Application Recovery Controller to start a zonal shift away from the Availability Zone:

Amazon Route 53 Application Recovery Controller provides the ability to control traffic flow to ensure high availability and disaster recovery.

By using Route 53 Application Recovery Controller, you can perform a zonal shift to redirect traffic away from the unhealthy Availability Zone.

To start a zonal shift:

Configure Route 53 Application Recovery Controller by creating a cluster and control panel.

Create routing controls to manage traffic shifts between Availability Zones.

Use the routing control to shift traffic away from the affected Availability Zone.

Disabling cross-zone load balancing

Route 53 Application Recovery Controller

* Modify the Build Stage to Add a Test Action with a RunOrder Value of 2:

The build stage in AWS CodePipeline can have multiple actions. By adding a test action with a runOrder value of 2, the test action will execute after the initial build action completes.

* Use AWS CodeBuild as the Action Provider to Run Unit Tests:

AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.

Using CodeBuild to run unit tests ensures that the tests are executed in a controlled environment and that only the code changes that pass the unit tests proceed to the deploy stage.

Example configuration in CodePipeline:

{

'name': 'BuildStage',

'actions': [

{

'name': 'Build',

'actionTypeId': {

'category': 'Build',

'owner': 'AWS',

'provider': 'CodeBuild',

'version': '1'

},

'runOrder': 1

},

{

'name': 'Test',

'actionTypeId': {

'category': 'Test',

'owner': 'AWS',

'provider': 'CodeBuild',

'version': '1'

},

'runOrder': 2

}

]

}

By integrating the unit tests into the build stage and ensuring they run after the build process, the pipeline guarantees that only code changes passing all unit tests are deployed.

AWS CodePipeline

AWS CodeBuild

Using CodeBuild with CodePipeline

Update the status of the affected CodeArtifact package version to deleted:

Deleting the vulnerable package version prevents it from being available for download by any users or systems, ensuring that the compromised version is not consumed.

Update the CodeArtifact package origin control settings to allow direct publishing and to block upstream operations:

By allowing direct publishing, the security team can publish the patched version of the package directly to the CodeArtifact repository.

Blocking upstream operations prevents the repository from automatically fetching and serving the vulnerable package version from upstream public repositories.

By deleting the vulnerable version and configuring the origin control settings to allow direct publishing and block upstream operations, the company ensures that only the patched version is available and the vulnerable version cannot be downloaded.

Managing Package Versions in CodeArtifact

Package Origin Controls in CodeArtifact

Deployment of config.txt file based on the appspec.yml:

The appspec.yml file specifies that config/config.txt should be copied to /usr/local/src/config.txt.

The source: / directive in the appspec.yml indicates that the entire directory structure starting from the root of the application source should be copied to the specified destination, which is /var/www/html.

Result of the Deployment:

The config.txt file will be specifically deployed to /usr/local/src/config.txt as per the explicit file mapping.

The entire directory structure including application/web will be copied to /var/www/html, but this does not include config/config.txt since it has a specific destination defined.

Thus, the config.txt file will be deployed only to /usr/local/src/config.txt.

Therefore, the correct answer is:

C . The config.txt file will be deployed to only /usr/local/src/config.txt.

AWS CodeDeploy AppSpec File Reference

AWS CodeDeploy Deployment Process