Updated Sep-2022 Exam Engine for AWS-DevOps-Engineer-Professional Exam Free Demo & 365 Day Updates [Q22-Q45]

Updated Sep-2022 Exam Engine for AWS-DevOps-Engineer-Professional Exam Free Demo & 365 Day Updates

Exam Passing Guarantee AWS-DevOps-Engineer-Professional Exam with Accurate Quastions!

AWS DevOps Engineer Professional Exam advantages below

Amazon AWS DevOps Engineer Professional has more useful and relevant networks that help them in setting career goals for themselves. Amazon AWS DevOps Engineer Professional networks provide them with the right career direction than non certified usually are unable to get.
Amazon AWS DevOps Engineer Professional will be confident and stand different from others as their skills are more trained than non-certified professionals.
Amazon AWS DevOps Engineer Professional has the knowledge to use the tools to complete the task efficiently and cost effectively than the other non-certified professionals lack in doing so.

Monitoring and Logging (15%)

Defining how to implement tagging and other metadata strategies;
Applying the concepts required for auditing, logging, and monitoring operating systems, applications & infrastructure;
Applying the concepts required for automating the event and monitor management of the environment.

NEW QUESTION 22
What does the Docker network docker_gwbridge do?

A. allows communication between swarm nodes on different hosts
B. allows communication between containers on the same host
C. allows communication between containers on the different hosts
D. allows communication between swarm nodes on the same host

Answer: A

Explanation:
The docker_gwbridge is a local bridge network which is automatically created by Docker in two different circumstances: When you initialize or join a swarm, Docker creates the docker_gwbridge network and uses it for communication among swarm nodes on different hosts. When none of a container's networks can provide external connectivity, Docker connects the container to the docker_gwbridge network in addition to the container's other networks, so that the container can connect to external networks or other swarm nodes.
Reference:
https://docs.docker.com/engine/userguide/networking/#the-docker_gwbridge-network

NEW QUESTION 23
Which of these is not a reason a Multi-AZ RDS instance will failover?

A. To autoscale to a higher instance class
B. The primary DB instance fails
C. A manual failover of the DB instance was initiated using Reboot with failover
D. An Availability Zone outage

Answer: A

Explanation:
The primary DB instance switches over automatically to the standby replica if any of the > following conditions occur: An Availability Zone outage, the primary DB instance fails, the DB instance's server type is changed, the operating system of the DB instance is, undergoing software patching, a manual failover of the DB instance was initiated using Reboot with failover
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html

NEW QUESTION 24
Which of the following CLI commands is used to spin up new EC2 Instances?

A. awsec2 new-instances
D- awsec2 launch-instances
B. awsec2 run-instances
B- awsec2 create-instances

Answer: B

Explanation:
Explanation
The AWS Documentation mentions the following
Launches the specified number of instances using an AMI for which you have permissions.
You can specify a number of options, or leave the default options. The following rules apply:
* [EC2-VPC] If you don't specify a subnet ID. we choose a default subnet from your default VPC for you.
If you don't have a default VPC, you must specify a subnet ID in the request.
* [EC2-Classic] If don't specify an Availability Zone, we choose one for you.
* Some instance types must be launched into a VPC. if you do not have a default VPC. or if you do not specify a subnet ID. the request fails. For more information, see Instance Types Available Only in a VPC.
* [EC2-VPC] All instances have a network interface with a primary private IPv4 address. If you don't specify this address, we choose one from the IPv4 range of your subnet.
* Not all instance types support IPv6 addresses. For more information, see Instance Types.
* If you don't specify a security group ID, we use the default security group. For more information, see Security Groups.
* If any of the AMIs have a product code attached for which the user has not subscribed, the request fails.
For more information on the Cc2 run instance command please refer to the below link
* http://docs.aws.a
mazon.com/cli/latest/reference/ec2/run -instances.html

NEW QUESTION 25
Which of the following service can be used to provision ECS Cluster containing following components in an
automated way:
1) Application Load Balancer for distributing traffic among various task instances running in EC2 Instances
2) Single task instance on each EC2 running as part of auto scaling group
3) Ability to support various types of deployment strategies

A. SAM
B. Elastic beanstalk
C. CodeCommit
D. Opswork

Answer: B

Explanation:
Explanation
You can create docker environments that support multiple containers per Amazon CC2 instance with
multi-container Docker platform for Elastic Beanstalk-Elastic Beanstalk uses Amazon Elastic Container
Service (Amazon CCS) to coordinate container deployments to multi-container Docker environments.
Amazon CCS provides tools to manage a cluster of instances running Docker containers. Elastic Beanstalk
takes care of Amazon CCS tasks including cluster creation, task definition, and execution Please refer to the
below AWS documentation:
* https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker_ecs. html

NEW QUESTION 26
A DevOps engineer has been tasked with ensuring that all Amazon S3 buckets, except for those with the word "public" in the name, allow access only to authorized users utilizing S3 bucket policies. The security team wants to be notified when a bucket is created without the proper policy and for the policy to be automatically updated.
Which solutions will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that triggers when a new object is created in a bucket that does not have the word "public" in the name. Target and use an AWS Lambda function to update the PublicAccessBlock configuration. Create an additional notification with the same filter and use Amazon SNS to send an email to the security team.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that triggers when an S3 bucket is created. Use an AWS Lambda function to determine whether the bucket should be private. If the bucket should be private, update the PublicAccessBlock configuration. Configure a second EventBridge (CloudWatch Events) rule to notify the security team using Amazon SNS when PutBucketPolicy is called.
C. Create a custom AWS Config rule that will trigger an AWS Lambda function when an S3 bucket is created or updated. Use the Lambda function to look for S3 buckets that should be private, but that do not have a bucket policy that enforces privacy. When such a bucket is found, invoke a remediation action and use Amazon SNS to notify the security team.
D. Create an Amazon S3 event notification that triggers when an S3 bucket is created that does not have the word "public" in the name. Define an AWS Lambda function as a target for this notification and use the function to apply a new default policy to the S3 bucket. Create an additional notification with the same filter and use Amazon SNS to send an email to the security team.

Answer: D

NEW QUESTION 27
What needs to be done in order to remotely access a Docker daemon running on Linux?

A. change the encryption level to TLS
B. add certificate authentication to the docker API
C. enable the TCP socket
D. bind the Docker API to a unix socket

Answer: C

Explanation:
The Docker daemon can listen for Docker Remote API requests via three different types of Socket:
unix, tcp, and fd.
By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock, requiring either root permission, or docker group membership. If you need to access the Docker daemon remotely, you need to enable the tcp Socket. Beware that the default setup provides un- encrypted and un-authenticated direct access to the Docker daemon - and should be secured either using the built in HTTPS encrypted socket or by putting a secure web proxy in front of it.
Reference:
https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option

NEW QUESTION 28
You have a complex system that involves networking, IAM policies, and multiple, three-tier applications.
You are still receiving requirements for the new system, so you don't yet know how many AWS components will be present in the final design.
You want to start using AWS CloudFormation to define these AWS resources so that you can automate and version-control your infrastructure.
How would you use AWS CloudFormation to provide agile new environments for your customers in a cost-effective, reliable manner?

A. Create multiple separate templates for each logical part of the system, create nested stacks in AWS CloudFormation, and maintain several templates to version-control.
B. Manually create one template to encompass all the resources that you need for the system, so you only have a single template to version-control.
C. Manually construct the networking layer using Amazon Virtual Private Cloud (VPC) because this does not change often, and then use AWS CloudFormation to define all other ephemeral resources.
D. Create multiple separate templates for each logical part of the system, and provide the outputs from one to the next using an Amazon Elastic Compute Cloud (EC2) instance running the SDK for finer granularity of control.

Answer: A

NEW QUESTION 29
A company has developed a Node.js web application which provides REST services to store and retrieve time series data. The web application is built by the Development team on company laptops, tested locally, and manually deployed to a single on-premises server, which accesses a local MySQL database. The company is starting a trial in two weeks, during which the application will undergo frequent updates based on customer feedback. The following requirements must be met:
*The team must be able to reliably build, test, and deploy new updates on a daily basis, without downtime or degraded performance.
*The application must be able to scale to meet an unpredictable number of concurrent users during the trial.
Which action will allow the team to quickly meet these objectives?

A. Modify the application to use Amazon DynamoDB instead of a local MySQL database. Use AWS OpsWorks to create a stack for the application with a DynamoDB layer, an Application Load Balancer layer, and an Amazon EC2 instance layer. Use a Chef recipe to build the application and a Chef recipe to deploy the application to the EC2 instance layer. Use custom health checks to run unit tests on each instance with rollback on failure.
B. Develop an AWS CloudFormation template to create an Application Load Balancer and two Amazon EC2 instances with Amazon EBS (SSD) volumes in an Auto Scaling group with rolling updates enabled. Use AWS CodeBuild to build and test the Node.js application and store it in an Amazon S3 bucket. Use user- data scripts to install the application and the MySQL database on each EC2 instance.
Update the stack to deploy new application versions.
C. Create two Amazon Lightsail virtual private servers for Node.js; one for test and one for production.
Build the Node.js application using existing process and upload it to the new Lightsail test server using the AWS CLI. Test the application, and if it passes all tests, upload it to the production server. During the trial, monitor the production server usage, and if needed, increase performance by upgrading the instance type.
D. Configure AWS Elastic Beanstalk to automatically build the application using AWS CodeBuild and to deploy it to a test environment that is configured to support auto scaling. Create a second Elastic Beanstalk environment for production. Use Amazon RDS to store data. When new versions of the applications have passed all tests, use Elastic Beanstalk "~swap cname' to promote the test environment to production.

Answer: A

NEW QUESTION 30
A company is implementing AWS CodePipeline to automate its testing process. The company wants to be notified when the execution state fails and used the following custom event pattern in Amazon CloudWatch: Which type of events will match this event pattern?

A. All rejected or failed approval actions across all the pipelines.
B. Failed deploy and build actions across all the pipelines.
C. Approval actions across all the pipelines.
D. All the events across all pipelines.

Answer: A

Explanation:
https://docs.aws.amazon.com/codepipeline/latest/userguide/detect-state-changes-cloudwatch-events.html

NEW QUESTION 31
Your company has a set of EC2 Instances that access data objects stored in an S3 bucket. Your IT Security
department is concerned about the security of this arhitecture and wants you to implement the following
1) Ensure that the EC2 Instance securely accesses the data objects stored in the S3 bucket
2) Ensure that the integrity of the objects stored in S3 is maintained.
Which of the following would help fulfil the requirements of the IT Security department. Choose 2 answers
from the options given below

A. Usean S3 bucket policy that ensures that MFA Delete is set on the objects in thebucket
B. Createan IAM user and ensure the EC2 Instances uses the IAM user credentials toaccess the data in the
bucket.
C. UseS3 Cross Region replication to replicate the objects so that the integrity ofdata is maintained.
D. Createan IAM Role and ensure the EC2 Instances uses the IAM Role to access the datain the bucket.

Answer: A,D

Explanation:
Explanation
The AWS Documentation mentions the following
I AM roles are designed so that your applications can securely make API requests from your instances,
without requiring you to manage the security credentials that
the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to
make API requests using 1AM roles
For more information on 1AM Roles, please refer to the below link:
* http://docs.aws.a
mazon.com/AWSCC2/latest/UserGuide/iam-roles-for-amazon-ec2. htm I
MFS Delete can be used to add another layer of security to S3 Objects to prevent accidental deletion of
objects. For more information on MFA Delete, please refer to the below link:
* https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/

NEW QUESTION 32
A DevOps Engineer manages a large commercial website that runs on Amazon EC2. The website uses Amazon Kinesis Data Streams to collect and process web logs. The Engineer manages the Kinesis consumer application, which also runs on EC2. Spikes of data cause the Kinesis consumer application to fall behind, and the streams drop records before they can be processed. What is the FASTEST method to improve stream handling?

A. Modify the Kinesis consumer application to store the logs durably in amazon S3. Use Amazon EMR to process the data directly on S3 to derive customer insights and store the results in S3.
B. Horizontally scale the Kinesis consumer application by adding more EC2 instances based on the GetRecord.IteratorAgeMiliseconds Amazon CloudWatch metric. Increase the Kinesis Data Streams retention period.
C. Convert the Kinesis consumer application to run as an AWS Lambda function. Configure the Kinesis Data Streams as the event source for the Lambda function to process the data streams.
D. Increase the number of shards in the Kinesis Data Streams to increase the overall throughput so that the consumer processes data faster.

Answer: B

NEW QUESTION 33
Management has reported an increase in the monthly bill from Amazon Web Services, and they are extremely concerned with this increased cost. Management has asked you to determine the exact cause of this increase. After reviewing the billing report, you notice an increase in the data transfer cost. How can you provide management with a better insight into data transfer use?

A. Use Amazon CloudWatch Logs to run a map-reduce on your logs to determine high usage and data transfer.
B. Update your Amazon CloudWatch metrics to use five-second granularity, which will give better detailed metrics that can be combined with your billing data to pinpoint anomalies.
C. Deliver custom metrics to Amazon CloudWatch per application that breaks down application data transfer into multiple, more specific data points.
D. Using Amazon CloudWatch metrics, pull your Elastic Load Balancing outbound data transfer metrics monthly, and include them with your billing report to show which application is causing higher bandwidth usage.

Answer: C

Explanation:
You can publish your own metrics to CloudWatch using the AWS CLI or an API. You can view statistical graphs of your published metrics with the AWS Management Console. CloudWatch stores data about a metric as a series of data points. Each data point has an associated time stamp. You can even publish an aggregated set of data points called a statistic set. If you have custom metrics specific to your application, you can give a breakdown to the management on the exact issue.
Option A won't be sufficient to provide better insights. Option B is an overhead when you can make the application publish custom metrics Option D is invalid because just the ELB metrics will not give the entire picture.
For more information on custom metrics, please refer to the below document link: from AWS
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publ ishingMetrics.htmI

NEW QUESTION 34
You have an application running on an Amazon EC2 instance and you are using 1AM roles to securely access
AWS Service APIs. How can you configure your application running on that instance to retrieve the API keys
for use with the AWS SDKs?

A. Within your application code, make a GET request to the 1AM Service API to retrieve credentials for
your user.
B. When assigning an EC21AM role to your instance in the console, in the "Chosen SDK" drop-down list,
select the SDK that you are using, and the instance will configure the correct SDK on launch with the
API keys.
C. When using AWS SDKs and Amazon EC2 roles, you do not have to explicitly retrieve API keys,
because the SDK handles retrieving them from the Amazon EC2 MetaData service.
D. Within your application code, configure the AWS SDK to get the API keys from environment variables,
because assigning an Amazon EC2 role stores keys in environment variables on launch.

Answer: C

Explanation:
Explanation
IAM roles are designed so that your applications can securely make API requests from your instances, without
requiring you to manage the security credentials that
the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to
make API requests using 1AM roles
For more information on Roles for CC2 please refer to the below link:
* http://docs.aws.amazon.com/AWSCC2/latest/UserGuide/iam-roles-for-amazon-ec2.
html

NEW QUESTION 35
A DevOps Engineer needs to deploy a scalable three-tier Node.js application in AWS. The application must have zero downtime during deployments and be able to roll back to previous versions. Other applications will also connect to the same MySQL backend database.
The CIO has provided the following guidance for logging:
*Centrally view all current web access server logs.
*Search and filter web and application logs in near-real time.
*Retain log data for three months.
How should these requirements be met?

A. Deploy the application on Amazon EC2. Configure Elastic Load Balancing and Auto Scaling. Use an Amazon RDS MySQL instance for the database tier. Configure the application to load streaming log data using Amazon Kinesis Data Firehouse into Amazon ES. Delete and create a new Amazon ES domain every 90 days.
B. Deploy the application on Amazon EC2. Configure Elastic Load Balancing and Auto Scaling. Use an Amazon RDS MySQL instance for the database tier. Configure the application to store log files in Amazon S3. Use Amazon EMR to search and filter the data. Set an Amazon S3 lifecycle rule to expire objects after 90 days.
C. Deploy the application using AWS Elastic Beanstalk. Configure the environment type for Elastic Load Balancing and Auto Scaling. Create the Amazon RDS MySQL instance outside the Elastic Beanstalk stack. Configure the Elastic Beanstalk log options to stream logs to Amazon CloudWatch Logs. Set retention to 90 days.
D. Deploy the application using AWS Elastic Beanstalk. Configure the environment type for Elastic Load Balancing and Auto Scaling. Create an Amazon RDS MySQL instance inside the Elastic Beanstalk stack. Configure the Elastic Beanstalk log options to stream logs to Amazon CloudWatch Logs. Set retention to 90 days.

Answer: B

Explanation:
Explanation
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-debugging.html

NEW QUESTION 36
A DevOps engineer is deploying a new version of a company's application in an AWS CodeDeploy deployment group associated with its Amazon EC2 instances. After some time, the deployment fails. The engineer realizes that all the events associated with the specific deployment ID are in a Skipped status, and code was not deployed in the instances associated with the deployment group.
What are valid reasons for this failure? (Select TWO.)

A. An instance profile with proper permissions was not attached to the target EC2 instances.
B. The appspec.yrnl file was not included in the application revision.
C. The 1AM user who triggered the application deployment does not have permission to interact with the CodeDeploy endpoint.
D. The networking configuration does not allow the EC2 instances to reach the internet via a NAT gateway or internet gateway, and the CodeDeploy endpoint cannot be reached.
E. The target EC2 instances were not properly registered with the CodeDeploy endpoint.

Answer: A,C

NEW QUESTION 37
For auditing, analytics, and troubleshooting purposes, a DevOps Engineer for a data analytics application needs to collect all of the application and Linux system logs from the Amazon EC2 instances before termination. The company, on average, runs 10,000 instances in an Auto Scaling group. The company requires the ability to quickly find logs based on instance IDs and date ranges.
Which is the MOST cost-effective solution?

A. Create an EC2 Instance-terminate Lifecycle Action on the group, push the logs into Amazon Kinesis Data Firehouse, and select Amazon ES as the destination for providing storage and search capability.
B. Create an EC2 Instance-terminate Lifecycle Action on the group, write a termination script for pushing logs into Amazon S3, and trigger an AWS Lambda function based on S3 PUT to create a catalog of log files in an Amazon DynamoDB table with the primary key being Instance ID and sort key being Instance Termination Date.
C. Create an EC2 Instance-terminate Lifecycle Action on the group, create an Amazon CloudWatch Events rule based on it to trigger an AWS Lambda function for storing the logs in Amazon S3, and create a catalog of log files in an Amazon DynamoDB table with the primary key being Instance ID and sort key being Instance Termination Date.
D. Create an EC2 Instance-terminate Lifecycle Action on the group, write a termination script for pushing logs into Amazon CloudWatch Logs, create a CloudWatch Events rule to trigger an AWS Lambda function to create a catalog of log files in an Amazon DynamoDB table with the primary key being Instance ID and sort key being Instance Termination Date.

Answer: C

Explanation:
Because using Amazon CloudWatch Events rule is better than writing a script.

NEW QUESTION 38
You need to perform ad-hoc analysis on log data, including searching quickly for specific error codes and reference numbers. Which should you evaluate first?

A. AWSEMR
B. AWSDynamoDB
C. AWSRedShift
D. AWS Elasticsearch Service

Answer: D

Explanation:
Explanation
Amazon Dasticsearch Service makes it easy to deploy, operate, and scale dasticsearch for log analytics, full text search, application monitoring, and more. Amazon Oasticsearch Service is a fully managed service that delivers Dasticsearch's easy-to-use APIs and real-time capabilities along with the availability, scalability, and security required by production workloads. The service offers built-in integrations with Kibana, Logstash, and AWS services including Amazon Kinesis Firehose, AWS Lambda, and Amazon CloudWatch so that you can go from raw data to actionable insights quickly For more information on the elastic cache service, please refer to the below link:
* https://aws.amazon.com/elasticsearch-service/

NEW QUESTION 39
An Application team has three environments for their application: development, pre-production, and production. The team recently adopted AWS CodePipeline. However, the team has had several deployments of misconfigured or nonfunctional development code into the production environment, resulting in user disruption and downtime. The DevOps Engineer must review the pipeline and add steps to identify problems with the application before it is deployed.
What should the Engineer do to identify functional issues during the deployment process?
(Choose two.)

A. Add an AWS CodeDeploy action in the pipeline to deploy the latest version of the development code to pre-production. Add a manual approval action in the pipeline so that the QA team can test and confirm the expected functionality. After the manual approval action, add a second CodeDeploy action that deploys the approved code to the production environment.
B. Create an AWS CodeDeploy action in the pipeline with a deployment configuration that automatically deploys the application code to a limited number of instances. The action then pauses the deployment so that the QA team can review the application functionality. When the review is complete, CodeDeploy resumes and deploys the application to the remaining production Amazon EC2 instances.
C. Using AWS CodeBuild to add a test action to the pipeline to replicate common user activities and ensure that the results are as expected before progressing to production deployment.
D. After the deployment process is complete, run a testing activity on an Amazon EC2 instance in a different region that accesses the application to simulate user behavior if unexpected results occur, the testing activity sends a warning to an Amazon SNS topic. Subscribe to the topic to get updates.
E. Use Amazon Inspector to add a test action to the pipeline. Use the Amazon Inspector Runtime Behavior Analysis Inspector rules package to check that the deployed code complies with company security standards before deploying it to production.

Answer: A,E

NEW QUESTION 40
Your company releases new features with high frequency while demanding high application availability.
As part of the application's A/B testing, logs from each updated Amazon EC2 instance of the application need to be analyzed in near real-time, to ensure that the application is working flawlessly after each deployment. If the logs show arty anomalous behavior, then the application version of the instance is changed to a more stable one.
Which of the following methods should you use for shipping and analyzing the logs in a highly available manner?

A. Ship the logs to Amazon S3 for durability and use Amazon EMR to analyze the logs in a batch manner each hour.
B. Ship the logs to Amazon CloudWatch Logs and use Amazon EMR to analyze the logs in a batch manner each hour.
C. Ship the logs to a large Amazon EC2 instance and analyze the logs in a live manner.
D. Store the logs locally on each instance and then have an Amazon Kinesis stream pull the logs for live analysis.
E. Ship the logs to an Amazon Kinesis stream and have the consumers analyze the logs in a live manner.

Answer: E

NEW QUESTION 41
You are incharge of creating a Cloudformation template that will be used to spin our resources on demand for your Devops team. The requirement is that this cloudformation template should be able to spin up resources in different regions. Which of the following aspects of Cloudformation templates can help you design the template to spin up resources based on the region.

A. Use the parameters section in the Cloudformation template, so that based on the relevant region, the relevant resource can be spinned up.
B. Use mappings section in the Cloudformation template, so that based on the relevant region, the relevant resource can be spinned up.
C. Use the outputs section in the Cloudformation template, so that based on the relevant region, the relevant resource can be spinned up.
D. Use the metadata section in the Cloudformation template, so that based on the relevant region, the relevant resource can be spinned up.

Answer: B

Explanation:
Explanation
The AWS Documentation mentions
The optional Mappings section matches a key to a corresponding set of named values. For example, if you want to set values based on a region, you can create a mapping that uses the region name as a key and contains the values you want to specify for each specific region. You use the Fn::FindlnMap intrinsic function to retrieve values in a map.
For more information on mappings please refer to the below link:
http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/mappings-section-structure.html

NEW QUESTION 42
A DevOps engineer has been tasked with ensuring that all Amazon S3 buckets, except for those with the word "public" in the name, allow access only to authorized users utilizing S3 bucket policies. The security team wants to be notified when a bucket is created without the proper policy and for the policy to be automatically updated.
Which solutions will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that triggers when a new object is created in a bucket that does not have the word "public" in the name. Target and use an AWS Lambda function to update the PublicAccessBlock configuration. Create an additional notification with the same filter and use Amazon SNS to send an email to the security team.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that triggers when an S3 bucket is created. Use an AWS Lambda function to determine whether the bucket should be private. If the bucket should be private, update the PublicAccessBlock configuration. Configure a second EventBridge (CloudWatch Events) rule to notify the security team using Amazon SNS when PutBucketPolicy is called.
C. Create a custom AWS Config rule that will trigger an AWS Lambda function when an S3 bucket is created or updated. Use the Lambda function to look for S3 buckets that should be private, but that do not have a bucket policy that enforces privacy. When such a bucket is found, invoke a remediation action and use Amazon SNS to notify the security team.
D. Create an Amazon S3 event notification that triggers when an S3 bucket is created that does not have the word "public" in the name. Define an AWS Lambda function as a target for this notification and use the function to apply a new default policy to the S3 bucket. Create an additional notification with the same filter and use Amazon SNS to send an email to the security team.

Answer: C

NEW QUESTION 43
A user is creating a new EBS volume from an existing snapshot.
The snapshot size shows 10 GB. Can the user create a volume of 30 GB from that snapshot?

A. No
B. Yes
C. Provided the original volume has set the change size attribute to true
D. Provided the snapshot has the modify size attribute set as true

Answer: B

Explanation:
A user can always create a new EBS volume of a higher size than the original snapshot size. The user cannot create a volume of a lower size. When the new volume is created the size in the instance will be shown as the original size. The user needs to change the size of the device with resize2fs or other OS specific commands.

NEW QUESTION 44
Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?

A. Use CloudTrail backed up to AWS S3 and Glacier.
B. Use AWS Config Timeline forensics.
C. Use AWS Config SNS Subscriptions and process events in real time.
D. Use CloudTrail Log File Integrity Validation.

Answer: D

Explanation:
You must use CloudTrail Log File Validation (default or custom implementation), as any other tracking method is subject to forgery in the event of a full account compromise by sophisticated enough hackers. Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
Reference:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

NEW QUESTION 45
......