ExamGecko
Search Search Login
Home Home / Amazon / DOP-C02
Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company uses AWS WAF to protect its cloud infrastructure. A DevOps engineer needs to give an operations team the ability to analyze log messages from AWS WAR. The operations team needs to be able to create alarms for specific patterns in the log output. Which solution will meet these requirements with the LEAST operational overhead?
An ecommerce company is receiving reports that its order history page is experiencing delays in reflecting the processing status of orders. The order processing system consists of an AWS Lambda function that uses reserved concurrency. The Lambda function processes order messages from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity. Which actions should a DevOps engineer take to resolve this delay? (Choose two.)
A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag. Which combination of steps will meet these requirements? (Select TWO.)
A company has an organization in AWS Organizations. A DevOps engineer needs to maintain multiple AWS accounts that belong to different OUs in the organization. All resources, including IAM policies and Amazon S3 policies within an account, are deployed through AWS CloudFormation. All templates and code are maintained in an AWS CodeCommit repository Recently, some developers have not been able to access an S3 bucket from some accounts in the organization. The following policy is attached to the S3 bucket. What should the DevOps engineer do to resolve this access issue?
A company has deployed a critical application in two AWS Regions. The application uses an Application Load Balancer (ALB) in both Regions. The company has Amazon Route 53 alias DNS records for both ALBs. The company uses Amazon Route 53 Application Recovery Controller to ensure that the application can fail over between the two Regions. The Route 53 ARC configuration includes a routing control for both Regions. The company uses Route 53 ARC to perform quarterly disaster recovery (DR) tests. During the most recent DR test, a DevOps engineer accidentally turned off both routing controls. The company needs to ensure that at least one routing control is turned on at all times. Which solution will meet these requirements?
A Company uses AWS CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the main branch when the changes are ready for production. The developers should not be able to push changes directly to the main branch. The company applied the AWSCodeCommitPowerUser managed policy to the developers' IAM role, and now these developers can push changes to the main branch directly on every repository in the AWS account. What should the company do to restrict the developers' ability to push changes to the main branch directly?
A company has a fleet of Amazon EC2 instances that run Linux in a single AWS account. The company is using an AWS Systems Manager Automation task across the EC2 instances. During the most recent patch cycle, several EC2 instances went into an error state because of insufficient available disk space. A DevOps engineer needs to ensure that the EC2 instances have sufficient available disk space during the patching process in the future. Which combination of steps will meet these requirements? {Select TWO.)
A DevOps engineer is setting up a container-based architecture. The engineer has decided to use AWS CloudFormation to automatically provision an Amazon ECS cluster and an Amazon EC2 Auto Scaling group to launch the EC2 container instances. After successfully creating the CloudFormation stack, the engineer noticed that, even though the ECS cluster and the EC2 instances were created successfully and the stack finished the creation, the EC2 instances were associating with a different cluster. How should the DevOps engineer update the CloudFormation template to resolve this issue?
A company uses an organization in AWS Organizations to manage its AWS accounts. The company recently acquired another company that has standalone AWS accounts. The acquiring company's DevOps team needs to consolidate the administration of the AWS accounts for both companies and retain full administrative control of the accounts. The DevOps team also needs to collect and group findings across all the accounts to implement and maintain a security posture. Which combination of steps should the DevOps team take to meet these requirements? (Select TWO.)
A company has set up AWS CodeArtifact repositories with public upstream repositories The company's development team consumes open source dependencies from the repositories in the company's internal network. The company's security team recently discovered a critical vulnerability in the most recent version of a package that the development team consumes. The security team has produced a patched version to fix the vulnerability. The company needs to prevent the vulnerable version from being downloaded. The company also needs to allow the security team to publish the patched version. Which combination of steps will meet these requirements? {Select TWO.)

Question 242 - DOP-C02 discussion

Report
Export

A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Select TWO.)

A.
Use AWS Cloud Formation StackSets to deploy the Cloud Formation stacks in all AWS accounts.
Answers
A.
Use AWS Cloud Formation StackSets to deploy the Cloud Formation stacks in all AWS accounts.
B.
Create an SCP that has a Deny statement for the ec2:' action with a condition of 'aws:RequestTag/isolation': false.
Answers
B.
Create an SCP that has a Deny statement for the ec2:' action with a condition of 'aws:RequestTag/isolation': false.
C.
Attach the SCP to the root of the organization.
Answers
C.
Attach the SCP to the root of the organization.
D.
Create an AWS Cloud Formation template that creates an EC2 instance rote that has no IAM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the Cloud Formation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to add a network ACL. Sot up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
Answers
D.
Create an AWS Cloud Formation template that creates an EC2 instance rote that has no IAM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the Cloud Formation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to add a network ACL. Sot up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
E.
Create an AWS Cloud Formation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
Answers
E.
Create an AWS Cloud Formation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
Suggested answer: A, E

Explanation:

* Step 1: Deploy the Automation Solution using CloudFormation StackSets To automate the process across multiple AWS accounts within an organization, you can use AWS CloudFormation StackSets. StackSets allow you to deploy CloudFormation templates to multiple accounts within an organization, ensuring consistent infrastructure and automation. Action: Use AWS CloudFormation StackSets to deploy the necessary resources across all AWS accounts. This includes deploying the Lambda function and security groups that will isolate compromised EC2 instances. Why: StackSets make it easy to deploy and manage resources across multiple AWS accounts, reducing the operational overhead.

This corresponds to Option A: Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.

* Step 2: Isolate EC2 Instances using Lambda and Security Groups When an EC2 instance is compromised, it needs to be isolated from the network. This can be done by creating a security group with no inbound or outbound rules and attaching it to the instance. A Lambda function can handle this process and can be triggered automatically by an Amazon EventBridge rule when a specific tag (e.g., 'isolation') is applied to the compromised instance.

Action: Create a Lambda function that attaches an isolated security group (with no inbound or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to trigger the Lambda function when the 'isolation' tag is applied to the instance.

Why: This automates the isolation process, ensuring that any compromised instances are immediately cut off from the network, reducing the potential damage from the compromise.

This corresponds to Option E: Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.

Show Answer
asked 16/09/2024
Bob Target
38 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms