A development team uses AWS CodeCommit for version control for applications. The
development team uses AWS CodePipeline, AWS CodeBuild. and AWS CodeDeploy for
CI/CD infrastructure. In CodeCommit, the development team recently merged pull requests
that did not pass long-running tests in the code base. The development team needed to
perform rollbacks to branches in the codebase, resulting in lost time and wasted effort.
A DevOps engineer must automate testing of pull requests in CodeCommit to ensure that
reviewers more easily see the results of automated tests as part of the pull request review.
What should the DevOps engineer do to meet this requirement?
A. Create an Amazon EventBridge rule that reacts to the pullRequestStatusChanged event. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Program the Lambda function to post the CodeBuild badge as a comment on the pull request so that developers will see the badge in their code review.
B. Create an Amazon EventBridge rule that reacts to the pullRequestCreated event. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Program the Lambda function to post the CodeBuild test results as a comment on the pull request when the test results are complete.
C. Create an Amazon EventBridge rule that reacts to pullRequestCreated and pullRequestSourceBranchUpdated events. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Program the Lambda function to post the CodeBuild badge as a comment on the pull request so that developers will see the badge in their code review.
D. Create an Amazon EventBridge rule that reacts to the pullRequestStatusChanged event. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Program the Lambda function to post the CodeBuild test results as a comment on the pull request when the test results are complete.
An ecommerce company has chosen AWS to host its new platform. The company's
DevOps team has started building an AWS Control Tower landing zone. The DevOps team
has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external
identity provider (IdP) and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least
privilege. The model must allow the team to build and manage only the team's own
resources.
Which combination of steps will meet these requirements? (Choose three.)
A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
E. Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.
Explanation: Using the principalTag in the Permission Set inline policy a logged in user belonging to a specific AD group in the IDP can be permitted access to perform operations on certain resources if their group matches the group used in the PrincipleTag. Basically you are narrowing the scope of privileges assigned via Permission policies conditionally based on whether the logged in user belongs to a specific AD Group in IDP. The mapping of the AD group to the request attributes can be doneusing SSO attributes where we can pass other attributes like the SAML token as well.
A company has set up AWS CodeArtifact repositories with public upstream repositories
The company's development team consumes open source dependencies from the
repositories in the company's internal network.
The company's security team recently discovered a critical vulnerability in the most recent
version of a package that the development team consumes. The security team has
produced a patched version to fix the vulnerability. The company needs to prevent the
vulnerable version from being downloaded. The company also needs to allow the security
team to publish the patched version.
Which combination of steps will meet these requirements? {Select TWO.)
A. Update the status of the affected CodeArtifact package version to unlisted
B. Update the status of the affected CodeArtifact package version to deleted
C. Update the status of the affected CodeArtifact package version to archived.
D. Update the CodeArtifact package origin control settings to allow direct publishing and to block upstream operations
E. Update the CodeArtifact package origin control settings to block direct publishing and to allow upstream operations.
A company uses AWS Organizations and AWS Control Tower to manage all the
company's AWS accounts. The company uses the Enterprise Support plan.
A DevOps engineer is using Account Factory for Terraform (AFT) to provision new
accounts. When new accounts are provisioned, the DevOps engineer notices that the
support plan for the new accounts is set to the Basic Support plan. The DevOps engineer
needs to implement a solution to provision the new accounts with the Enterprise Support
plan.
Which solution will meet these requirements?
A. Use an AWS Config conformance pack to deploy the account-part-of-organizations AWS Config rule and to automatically remediate any noncompliant accounts.
B. Create an AWS Lambda function to create a ticket for AWS Support to add the account to the Enterprise Support plan. Grant the Lambda function the support:ResolveCase permission.
C. Add an additional value to the control_tower_parameters input to set the AWSEnterpriseSupport parameter as the organization's management account number.
D. Set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. Redeploy AFT and apply the changes.
Explanation: AWS Organizations is a service that helps to manage multiple AWS accounts. AWS Control Tower is a service that makes it easy to set up and govern secure, compliant multi-account AWS environments. Account Factory for Terraform (AFT) is an AWS Control Tower feature that provisions new accounts using Terraformtemplates. To provision new accounts with the Enterprise Support plan, the DevOps engineer can set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. This flag enables the Enterprise Support plan for newly provisioned accounts.
A DevOps engineer has automated a web service deployment by using AWS CodePipeline
with the following steps:
1) An AWS CodeBuild project compiles the deployment artifact and runs unit tests.
2) An AWS CodeDeploy deployment group deploys the web service to Amazon EC2
instances in the staging environment.
3) A CodeDeploy deployment group deploys the web service to EC2 instances in the
production environment.
The quality assurance (QA) team requests permission to inspect the build artifact before
the deployment to the production environment occurs. The QA team wants to run
aninternal penetration testing tool to conduct manual tests. The tool will be invoked by a
REST API call.
Which combination of actions should the DevOps engineer take to fulfill this request?
(Choose two.)
A. Insert a manual approval action between the test actions and deployment actions of the pipeline.
B. Modify the buildspec.yml file for the compilation stage to require manual approval before completion.
C. Update the CodeDeploy deployment groups so that they require manual approval to proceed.
D. Update the pipeline to directly call the REST API for the penetration testing tool.
E. Update the pipeline to invoke an AWS Lambda function that calls the REST API for the penetration testing tool.
A company uses an Amazon API Gateway regional REST API to host its application API.
The REST API has a custom domain. The REST API's default endpoint is deactivated.
The company's internal teams consume the API. The company wants to use mutual TLS
between the API and the internal teams as an additional layer of authentication.
Which combination of steps will meet these requirements? (Select TWO.)
A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
B. Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
C. Upload the provisioned client certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
D. Upload the provisioned client certificate private key to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
E. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.
Explanation: Mutual TLS (mTLS) authentication requires two-way authentication between the client and the server. For Amazon API Gateway, you can enable mTLS for a custom domain name, which requires clients to present X.509 certificates to verify their identity to access your API. To set up mTLS, you would typically use AWS Certificate Manager (ACM) to create a private certificate authority (CA) and provision a client certificate signed by this private CA. The root CA certificate is then uploaded to an Amazon S3 bucket and configured in API Gateway as the trust store12.
A security team is concerned that a developer can unintentionally attach an Elastic IP
address to an Amazon EC2 instance in production. No developer should be allowed to
attach an Elastic IP address to an instance. The security team must be notified if any
production server has an Elastic IP address at any time
How can this task be automated'?
A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-address attempts Create an AWS Lambda function to disassociate the Elastic IP address from the instance, and alert the security team.
B. Attach an 1AM policy to the developers' 1AM group to deny associate-address permissions Create a custom AWS Config rule to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team
C. Ensure that all 1AM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IP address is associated with any instance tagged as production, and alert the secunty team if an instance has an Elastic IP address associated with it
D. Create an AWS Config rule to check that all production instances have EC2 1AM roles that include deny associate-address permissions Verify whether there is an Elastic IP address associated with any instance, and alert the security team if an instance has an Elastic IP address associated with it.
Explanation: To prevent developers from unintentionally attaching an Elastic IP address to an Amazon EC2 instance in production, the best approach is to use IAM policies and AWS Config rules. By attaching an IAM policy that denies the associate-address permission to the developers’ IAM group, you ensure that developers cannot perform this action. Additionally, creating a custom AWS Config rule to check for Elastic IP addresses associated with instances tagged as production provides ongoing monitoring. If the rule detects an Elastic IP address, it can trigger an alert to notify the securityteam. This method is proactive and enforces the necessary permissions while also providing a mechanism for detection and notification.
A DevOps engineer has developed an AWS Lambda function The Lambda function starts
an AWS CloudFormation drift detection operation on all supported resources for a specific
CloudFormation stack The Lambda function then exits Its invocation The DevOps engineer
has created an Amazon EventBrdge scheduled rule that Invokes the Lambda function
every hour. An Amazon Simple Notification Service (Amazon SNS) topic already exists In
the AWS account. The DevOps engineer has subscribed to the SNS topic to receive
notifications
The DevOps engineer needs to receive a notification as soon as possible when drift is
detected in this specific stack configuration.
Which solution Will meet these requirements?
A. Configure the existing EventBridge rule to also target the SNS topic Configure an SNS subscription filter policy to match the Cloud Formation stack. Attach the subscription filter policy to the SNS tomc
B. Create a second Lambda function to query the CloudFormation API for the drift detection results for the stack Configure the second Lambda function to publish a message to the SNS topic If drift ts detected Adjust the existing EventBridge rule to also target the second Lambda function
C. Configure Amazon GuardDuty in the account with drift detection for all CloudFormation stacks. Create a second EventBndge rule that reacts to the GuardDuty drift detection event finding for the specific CloudFormation stack. Configure the SNS topic as a target of the second EventBridge rule.
D. Configure AWS Config in the account. Use the cloudformation-stack-drift-detectioncheck managed rule. Create a second EventBndge rule that reacts to a compliance change event for the CloudFormaUon stack. Configure the SNS topc as a target of the second EventBridge rule.
Explanation:
A comprehensive and detailed explanation is:
Option A is incorrect because EventBridge rules cannot filter events based on the
message body or attributes of the target service. Therefore, configuring an SNS
subscription filter policy to match the CloudFormation stack will not work. The SNS
topic will receive all events from the EventBridge rule, regardless of the stack
name or drift status.
Option B is incorrect because it introduces unnecessary complexity and cost.
Creating a second Lambda function to query the CloudFormation API for the drift
detection results is redundant, since CloudFormation already publishes drift
detection events to EventBridge. Moreover, invoking two Lambda functions every
hour will incur more charges than invoking one.
Option C is incorrect because GuardDuty does not provide drift detection for
CloudFormation stacks. GuardDuty is a threat detection service that monitors for
malicious activity and unauthorized behavior in AWS accounts and workloads.
Itdoes not monitor or report on configuration changes or drifts in CloudFormation
stacks.
Option D is correct because it leverages AWS Config and its managed rule for drift
detection. AWS Config is a service that enables you to assess, audit, and evaluate
the configurations of your AWS resources. It can detect configuration changes and
drifts in CloudFormation stacks using the cloudformation-stack-drift-detectioncheck
managed rule. This rule triggers an AWS Config event when a stack drifts
from its expected template configuration. By creating a second EventBridge rule
that reacts to this event for the specific stack, the DevOps engineer can configure
the SNS topic as a target and receive a notification as soon as possible when drift
is detected.
A security review has identified that an AWS CodeBuild project is downloading a database
population script from an Amazon S3 bucket using an unauthenticated request. The
security team does not allow unauthenticated requests to S3 buckets for this project.
How can this issue be corrected in the MOST secure manner?
A. Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the AWS CLI to download the database population script.
B. Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token and download the database population script.
C. Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script.
D. Remove unauthenticated access from the S3 bucket with a bucket policy. Use the AWS CLI to download the database population script using an IAM access key and a secret access key.
Explanation: A bucket policy is a resource-based policy that defines who can access a specific S3 bucket and what actions they can perform on it. By removing unauthenticated accessfrom the bucket policy, you can prevent anyone without valid credentials from accessing the bucket. A service role is an IAM role that allows an AWS service, such as CodeBuild, to perform actions on your behalf. By modifying the service role for the CodeBuild project to include Amazon S3 access, you can grant the project permission to read and write objects in the S3 bucket. The AWS CLI is a command-line tool that allows you to interact with AWS services, such as S3, using commands in your terminal. By using the AWS CLI to download the database population script, you can leverage the service role credentials and encryption to secure the data transfer.
A company uses a single AWS account lo test applications on Amazon EC2 instances. The
company has turned on AWS Config in the AWS account and has activated the restrictedssh
AWS Config managed rule.
The company needs an automated monitoring solution that will provide a customized notification in real time if any security group in the account is not compliant with the
restricted-ssh rule. The customized notification must contain the name and ID of the
noncompliant security group.
A DevOps engineer creates an Amazon Simple Notification Service (Amazon SNS) topic in
the account and subscribes the appropriate personnel to the topic.
What should me DevOps engineer do next to meet these requirements?
A. Create an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT tor the restricted-ssh rule. Configure an input transformer for the EventBridge rule Configure the EventBridge rule to publish a notification to the SNS topic.
B. Configure AWS Config to send all evaluation results for the restricted-ssh rule to the SNS topic. Configure a filter policy on the SNS topic to send only notifications that contain the text of NON_COMPLIANT in the notification to subscribers.
C. Create an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLlANT for the restricted-ssh rule Configure the EventBridge rule to invoke AWS Systems Manager Run Command on the SNS topic to customize a notification and to publish the notification to the SNS topic
D. Create an Amazon EventBridge rule that matches all AWS Config evaluation results of NON_COMPLIANT Configure an input transformer for the restricted-ssh rule Configure the EventBridge rule to publish a notification to the SNS topic.
Explanation: Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge (CloudWatch Events) rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic. This approach uses Amazon EventBridge (previously known as Amazon CloudWatch Events) to filter AWS Config evaluation results based on the restricted-ssh rule and its compliance status (NON_COMPLIANT). An input transformer can be used to customize the information contained in the notification, such as the name and ID of the noncompliant security group. The EventBridge (CloudWatch Events) rule can then be configured to publish a notification to the SNS topic, which will notify the appropriate personnel in real-time.
A company has microservices running in AWS Lambda that read data from Amazon
DynamoDB. The Lambda code is manually deployed by developers after successful testing
The company now needs the tests and deployments be automated and run in the cloud
Additionally, traffic to the new versions of each microservice should be incrementally
shifted over time after deployment.
What solution meets all the requirements, ensuring the MOST developer velocity?
A. Create an AWS CodePipelme configuration and set up a post-commit hook to trigger the pipeline after tests have passed Use AWS CodeDeploy and create a Canary deployment configuration that specifies the percentage of traffic and interval
B. Create an AWS CodeBuild configuration that triggers when the test code is pushed Use AWS CloudFormation to trigger an AWS CodePipelme configuration that deploys the new Lambda versions and specifies the traffic shift percentage and interval
C. Create an AWS CodePipelme configuration and set up the source code step to trigger when code is pushed. Set up the build step to use AWS CodeBuild to run the tests Set up an AWS CodeDeploy configuration to deploy, then select the CodeDeployDefault.LambdaLinearlDPercentEvery3Minut.es Option.
D. Use the AWS CLI to set up a post-commit hook that uploads the code to an Amazon S3 bucket after tests have passed. Set up an S3 event trigger that runs a Lambda function that deploys the new version. Use an interval in the Lambda function to deploy the code over time at the required percentage
A company updated the AWS Cloud Formation template for a critical business application.
The stack update process failed due to an error in the updated template and AWS
CloudFormation automatically began the stack rollback process Later a DevOps engineer
discovered that the application was still unavailable and that the stack was in the
UPDATE_ROLLBACK_FAILED state.
Which combination of actions should the DevOps engineer perform so that the stack
rollback can complete successfully? (Select TWO.)
A. Attach the AWSC loud Formation FullAccess IAM policy to the AWS CtoudFormation role.
B. Automatically recover the stack resources by using AWS CloudFormation drift detection.
C. Issue a ContinueUpdateRollback command from the AWS CloudFormation console or the AWS CLI.
D. Manually adjust the resources to match the expectations of the stack.
E. Update the existing AWS CloudFormation stack by using the original template.
| Page 10 out of 27 Pages |
| Previous |