DOP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

Question # 124

A company requires its internal business teams to launch resources through pre-approved AWS CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state.

Which strategy should be used to meet these requirements?

Options:

Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.

Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.

Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.

Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.

Buy Now

Answer:

Explanation:

The correct answer is C. Allowing users to deploy CloudFormation stacks using AWS Service Catalog only and enforcing the use of a launch constraint is the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. AWS Service Catalog is a service that enables organizations to create and manage catalogs of IT services that are approved for use on AWS. A launch constraint is a rule that specifies the role that AWS Service Catalog assumes when launching a product. By using a launch constraint, the DevOps engineer can control the permissions that the users have when launching a product. Using AWS Config rules to detect when resources have drifted from their expected state is the best way to automate the monitoring of the resources. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config rules are custom or managed rules that AWS Config uses to evaluate whether your AWS resources comply with your desired configurations. By using AWS Config rules, the DevOps engineer can track the changes in the resources and identify any non-compliant resources.

Option A is incorrect because allowing users to deploy CloudFormation stacks using a CloudFormation service role only is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. A CloudFormation service role is an IAM role that CloudFormation assumes to create, update, or delete the stack resources. By using a CloudFormation service role, the DevOps engineer can control the permissions that CloudFormation has when acting on the resources, but not the permissions that the users have when launching a stack. Therefore, option A does not prevent the users from launching resources that are not approved by the company. Using CloudFormation drift detection to detect when resources have drifted from their expected state is a valid way to monitor the resources, but it is not as automated and scalable as using AWS Config rules. CloudFormation drift detection is a feature that enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. To use this feature, the DevOps engineer would need to manually initiate a drift detection operation on the stack or the stack resources, and then view the drift status and details in the CloudFormation console or API.

Option B is incorrect because allowing users to deploy CloudFormation stacks using a CloudFormation service role only is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only, as explained in option A. Using AWS Config rules to detect when resources have drifted from their expected state is a valid way to monitor the resources, as explained in option C.

Option D is incorrect because enforcing the use of a template constraint is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. A template constraint is a rule that defines the values or properties that users can specify when launching a product. By using a template constraint, the DevOps engineer can control the parameters that the users can provide when launching a product, but not the permissions that the users have when launching a product. Therefore, option D does not prevent the users from launching resources that are not approved by the company. Using Amazon EventBridge notifications to detect when resources have drifted from their expected state is a less reliable and consistent solution than using AWS Config rules. Amazon EventBridge is a service that enables you to connect your applications with data from a variety of sources. Amazon EventBridge can deliver a stream of real-time data from event sources, such as AWS services, and route that data to targets, such as AWS Lambda functions. However, to use this solution, the DevOps engineer would need to configure the event source, the event bus, the event rule, and the event target for each resource type that needs to be monitored, which is more complex and error-prone than using AWS Config rules.

Question # 125

A company uses Amazon API Gateway and AWS Lambda functions to implement an API. The company uses a pipeline in AWS CodePipeline to build and deploy the API. The pipeline contains a source stage, build stage, and deployment stage.

The company deploys the API without performing smoke tests. Soon after the deployment, the company observes multiple issues with the API. A security audit finds security vulnerabilities in the production code.

The company wants to prevent these issues from happening in the future.

Which combination of steps will meet this requirement? (Select TWO.)

Options:

Create a smoke test script that returns an error code if the API code fails the test. Add an action in the deployment stage to run the smoke test script after deployment. Configure the deployment stage for automatic rollback.

Add an action in the build stage that uses Amazon Inspector to scan the Lambda function code after the code is built. Configure the build stage to fail if the scan returns any security findings. D. Add an action in the build stage to run an Amazon CodeGuru code scan after the code is built. Configure the build stage to fail if the scan returns any security findings.

Add an action in the deployment stage to run an Amazon CodeGuru code scan after deployment. Configure the deployment stage to fail if the scan returns any security findings.

Buy Now

Question # 126

A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

Use AWS Cloud Formation StackSets to deploy the Cloud Formation stacks in all AWS accounts.

Create an SCP that has a Deny statement for the ec2:" action with a condition of "aws:RequestTag/isolation": false.

Attach the SCP to the root of the organization.

Create an AWS Cloud Formation template that creates an EC2 instance rote that has no 1AM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the Cloud Formation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to add a network ACL. Sot up an Amazon EventBridge rule to invoke the Lambda function when a specific ta

Create an AWS Cloud Formation template that creates an EC2 instance role that has no 1AM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to i

Buy Now

Answer:

A, E

Explanation:

 Step 1: Deploy the Automation Solution using CloudFormation StackSets

To automate the process across multiple AWS accounts within an organization, you can use AWS CloudFormation StackSets. StackSets allow you to deploy CloudFormation templates to multiple accounts within an organization, ensuring consistent infrastructure and automation.

Action: Use AWS CloudFormation StackSets to deploy the necessary resources across all AWS accounts. This includes deploying the Lambda function and security groups that will isolate compromised EC2 instances.

Why: StackSets make it easy to deploy and manage resources across multiple AWS accounts, reducing the operational overhead.

[Reference: AWS documentation on CloudFormation StackSets., This corresponds to Option A: Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.,  Step 2: Isolate EC2 Instances using Lambda and Security GroupsWhen an EC2 instance is compromised, it needs to be isolated from the network. This can be done by creating a security group with no inbound or outbound rules and attaching it to the instance. A Lambda function can handle this process and can be triggered automatically by an Amazon EventBridge rule when a specific tag (e.g., "isolation") is applied to the compromised instance., Action: Create a Lambda function that attaches an isolated security group (with no inbound or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to trigger the Lambda function when the "isolation" tag is applied to the instance., Why: This automates the isolation process, ensuring that any compromised instances are immediately cut off from the network, reducing the potential damage from the compromise., Reference: AWS documentation on Tag-based Event Handling., This corresponds to Option E: Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance., , , ]

Question # 127

A DevOps engineer updates an AWS CloudFormation stack to add a nested stack that includes several Amazon EC2 instances. When the DevOps engineer attempts to deploy the updated stack, the nested stack fails to deploy. What should the DevOps engineer do to determine the cause of the failure?

Options:

Use the CloudFormation detect root cause capability for the failed stack to analyze the failure and return the event that is the most likely cause for the failure.

Query failed stacks by specifying the root stack as the ParentId property. Examine the StackStatusReason property for all returned stacks to determine the reason the nested stack failed to deploy.

Activate AWS Systems Manager for the AWS account where the application runs. Use the AWS Systems Manager Automation AWSSupport-TroubleshootCFNCustomResource runbook to determine the reason the nested stack failed to deploy.

Configure the CloudFormation template to publish logs to Amazon CloudWatch. View the CloudFormation logs for the failed stack in the CloudWatch console to determine the reason the nested stack failed to deploy.

Buy Now

Question # 128

A company has implemented a new microservices-based application on an Amazon Elastic Container Service (Amazon ECS) cluster. After each deployment, the company wants to validate the critical user journeys and API endpoints before routing traffic to the new application version.

The company must implement an automated solution to detect issues in the new deployment and to initiate a rollback if necessary.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Set up Amazon CloudWatch Application Insights for the ECS cluster. Create an Amazon EventBridge rule to invoke an AWS Lambda function to analyze the task states. Program the Lambda function to use the ECS UpdateService API call to initiate a rollback if a specific percentage of tasks fail.

Set up Amazon CloudWatch Application Insights for the ECS cluster. Configure Application Insights to monitor key performance indicators of the microservices in the critical user journeys and API calls. Create CloudWatch alarms based on the insights. Use EventBridge to invoke an AWS Step Functions workflow to evaluate the alarms. Configure the workflow to initiate a rollback if necessary by using the alarms' built-in integration with

Create CloudWatch Synthetics canaries that simulate critical user journeys and API calls. Implement AWS X-Ray tracing for all the microservices. Configure X-Ray to send traces to CloudWatch. Create CloudWatch alarms based on error rates and latency metrics. Create a Lambda function to analyze the traces and to initiate a rollback if necessary by using the alarms' built-in integration with Amazon ECS.

Create CloudWatch Synthetics canaries that simulate critical user journeys and API calls. Configure the canaries to run against the new deployment. Create CloudWatch alarms that are invoked when canaries fail. Use the alarms' built-in integration with Amazon ECS to initiate a rollback if the alarms are invoked before traffic is routed to the new deployment.

Buy Now