An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has
started building an AWS Control Tower landing zone. The DevOps team has set the identity store
within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has
configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The
model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)
BCF
Explanation:
Using the principalTag in the Permission Set inline policy a logged in user belonging to a specific AD
group in the IDP can be permitted access to perform operations on certain resources if their group
matches the group used in the PrincipleTag. Basically you are narrowing the scope of privileges
assigned via Permission policies conditionally based on whether the logged in user belongs to a
specific AD Group in IDP. The mapping of the AD group to the request attributes can be done using
SSO attributes where we can pass other attributes like the SAML token as well.
https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html
An ecommerce company is receiving reports that its order history page is experiencing delays in
reflecting the processing status of orders. The order processing system consists of an AWS Lambda
function that uses reserved concurrency. The Lambda function processes order messages from an
Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon
DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity.
Which actions should a DevOps engineer take to resolve this delay? (Choose two.)
A, D
Explanation:
A: If the ApproximateAgeOfOldestMessages indicate that orders are remaining in the SQS queue for
longer than expected, the reserved concurrency limit may be set too small to keep up with the
number of orders entering the queue and is being throttled. D: The DynamoDB table is using Auto
Scaling. With Auto Scaling, you create a scaling policy that specifies whether you want to scale read
capacity or write capacity (or both), and the minimum and maximum provisioned capacity unit
settings for the table. The ThottledWriteRequests metric will indicate if there is a throttling issue on
the DynamoDB table, which can be resolved by increasing the maximum write capacity units for the
table's Auto Scaling policy.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.html
A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS
Region. New EC2 instances are launched and terminated each hour in the account. The account also
includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an
EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance
profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an
instance profile. During the review, the DevOps engineer also observes that new EC2 instances are
being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances
in the Region?
B
Explanation:
https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html
A DevOps engineer is building a continuous deployment pipeline for a serverless application that
uses AWS Lambda functions. The company wants to reduce the customer impact of an unsuccessful
deployment. The company also wants to monitor for issues.
Which deploy stage configuration will meet these requirements?
D
Explanation:
Use routing configuration on an alias to send a portion of traffic to a second function version. For
example, you can reduce the risk of deploying a new version by configuring the alias to send most of
the traffic to the existing version, and only a small percentage of traffic to the new version.
https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html
The following are the steps involved in the deploy stage configuration that will meet the
requirements:
Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions.
Publish a new version of the functions, and include Amazon CloudWatch alarms.
Update the production alias to point to the new version.
Configure rollbacks to occur when an alarm is in the ALARM state.
This configuration will help to reduce the customer impact of an unsuccessful deployment by
deploying the new version of the functions to a staging environment first. This will allow the DevOps
engineer to test the new version of the functions before deploying it to production.
The configuration will also help to monitor for issues by including Amazon CloudWatch alarms. These
alarms will alert the DevOps engineer if there are any problems with the new version of the
functions.
To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses
in a public subnet. A user data script obtains the application artifacts and installs them on the
instances upon launch. A change to the security classification of the application now requires the
instances to run with no access to the internet. While the instances launch successfully and show as
healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?
C
Explanation:
EC2 instances running in private subnets of a VPC can now have controlled access to S3 buckets,
objects, and API functions that are in the same region as the VPC. You can use an S3 bucket policy to
indicate which VPCs and which VPC Endpoints have access to your S3 buckets 1-
https://aws.amazon.com/pt/blogs/aws/new-vpc-endpoint-for-amazon-s3/
A development team is using AWS CodeCommit to version control application code and AWS
CodePipeline to orchestrate software deployments. The team has decided to use a remote main
branch as the trigger for the pipeline to integrate code changes. A developer has pushed code
changes to the CodeCommit repository, but noticed that the pipeline had no reaction, even after 10
minutes.
Which of the following actions should be taken to troubleshoot this issue?
A
Explanation:
When you create a pipeline from CodePipeline during the step-by-step it creates a CloudWatch Event
rule for a given branch and repo
like this:
{
"source": [
"aws.codecommit"
],
"detail-type": [
"CodeCommit Repository State Change"
],
"resources": [
"arn:aws:codecommit:us-east-1:xxxxx:repo-name"
],
"detail": {
"event": [
"referenceCreated",
"referenceUpdated"
],
"referenceType": [
"branch"
],
"referenceName": [
"master"
]
}
}
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-trigger-source-repo-changes-console.html
A company's developers use Amazon EC2 instances as remote workstations. The company is
concerned that users can create or modify EC2 security groups to allow unrestricted inbound access.
A DevOps engineer needs to develop a solution to detect when users create unrestricted security
group rules. The solution must detect changes to security group rules in near real time, remove
unrestricted rules, and send email notifications to the security team. The DevOps engineer has
created an AWS Lambda function that checks for security group ID from input, removes rules that
grant unrestricted access, and sends notifications through Amazon Simple Notification Service
(Amazon SNS).
What should the DevOps engineer do next to meet the requirements?
C
Explanation:
To meet the requirements, the DevOps engineer should create an Amazon EventBridge event rule
that has the default event bus as the source. The rule's event pattern should match EC2 security
group creation and modification events, and it should be configured to invoke the Lambda function.
This solution will allow for near real-time detection of security group rule changes and will trigger
the Lambda function to remove any unrestricted rules and send email notifications to the security
team.
https://repost.aws/knowledge-center/monitor-security-group-changes-ec2
A DevOps engineer is creating an AWS CloudFormation template to deploy a web service. The web
service will run on Amazon EC2 instances in a private subnet behind an Application Load Balancer
(ALB). The DevOps engineer must ensure that the service can accept requests from clients that have
IPv6 addresses.
What should the DevOps engineer do with the CloudFormation template so that IPv6 clients can
access the web service?
D
Explanation:
it involves adding an IPv6 CIDR block to the VPC and subnets for the ALB and specifying the dualstack
IP address type on the ALB listener. This allows the ALB to listen on both IPv4 and IPv6 addresses, and
forward requests to the EC2 instances that are added as targets to the target group associated with
the ALB.
A company uses AWS Organizations and AWS Control Tower to manage all the company's AWS
accounts. The company uses the Enterprise Support plan.
A DevOps engineer is using Account Factory for Terraform (AFT) to provision new accounts. When
new accounts are provisioned, the DevOps engineer notices that the support plan for the new
accounts is set to the Basic Support plan. The DevOps engineer needs to implement a solution to
provision the new accounts with the Enterprise Support plan.
Which solution will meet these requirements?
D
Explanation:
AWS Organizations is a service that helps to manage multiple AWS accounts. AWS Control Tower is a
service that makes it easy to set up and govern secure, compliant multi-account AWS environments.
Account Factory for Terraform (AFT) is an AWS Control Tower feature that provisions new accounts
using Terraform templates. To provision new accounts with the Enterprise Support plan, the DevOps
engineer can set the aft_feature_enterprise_support feature flag to True in the AFT deployment
input configuration. This flag enables the Enterprise Support plan for newly provisioned accounts.
https://docs.aws.amazon.com/controltower/latest/userguide/aft-feature-options.html
A company's DevOps engineer uses AWS Systems Manager to perform maintenance tasks during
maintenance windows. The company has a few Amazon EC2 instances that require a restart after
notifications from AWS Health. The DevOps engineer needs to implement an automated solution to
remediate these notifications. The DevOps engineer creates an Amazon EventBridge rule.
How should the DevOps engineer configure the EventBridge rule to meet these requirements?
C
Explanation:
AWS Health provides real-time events and information related to your AWS infrastructure. It can be
integrated with Amazon EventBridge to act upon the health events automatically. If the maintenance
notification from AWS Health indicates that an EC2 instance requires a restart, you can set up an
EventBridge rule to respond to such events. In this case, the target of this rule would be a Lambda
function that would trigger a Systems Manager automation to restart the EC2 instance during a
maintenance window. Remember, AWS Health is the source of the events (not EC2 or Systems
Manager), and AWS Lambda can be used to execute complex remediation tasks, such as scheduling
maintenance tasks via Systems Manager.
The following are the steps involved in configuring the EventBridge rule to meet these requirements:
Configure an event source of AWS Health, a service of EC2, and an event type that indicates instance
maintenance.
Target a newly created AWS Lambda function that registers an automation task to restart the EC2
instance during a maintenance window.
The AWS Lambda function will be triggered by the event from AWS Health. The function will then
register an automation task to restart the EC2 instance during the next maintenance window.