A company has a new AWS account that teams will use to deploy various applications. The teams will create many Amazon S3 buckets for application- specific purposes and to store AWS CloudTrail logs. The company has enabled Amazon Macie for the account. A DevOps engineer needs to optimize the Macie costs for the account without compromising the account's functionality. Which solutions will meet these requirements? (Select TWO.)
A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.
B. Exclude S3 buckets that have public read access from automated discovery.
C. Configure scheduled daily discovery jobs for all S3 buckets in the account.
D. Configure discovery jobs to include S3 objects based on the last modified criterion.
E. Configure discovery jobs to include S3 objects that are tagged as production only.
A company hired a penetration tester to simulate an internal security breach The tester performed port scans on the company's Amazon EC2 instances. The company's security measures did not detect the port scans. The company needs a solution that automatically provides notification when port scans are performed on EC2 instances. The company creates and subscribes to an Amazon Simple Notification Service (Amazon SNS) topic. What should the company do next to meet the requirement?
A. Ensure that Amazon GuardDuty is enabled Create an Amazon CloudWatch alarm fordetected EC2 and port scan findings. Connect the alarm to the SNS topic.
B. Ensure that Amazon Inspector is enabled Create an Amazon EventBridge event fordetected network reachability findings that indicate port scans Connect the event to theSNS topic.
C. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event fordetected CVEs that cause open port vulnerabilities. Connect the event to the SNS topic
D. Ensure that AWS CloudTrail is enabled Create an AWS Lambda function to analyze theCloudTrail logs for unusual amounts of traffic from an IP address range Connect theLambda function to the SNS topic.
A company is developing a web application's infrastructure using AWS CloudFormation The database engineering team maintains the database resources in a Cloud Formation template, and the software development team maintains the web application resources in a separate CloudFormation template. As the scope of the application grows, the software development team needs to use resources maintained by the database engineering team However, both teams have their own review and lifecycle management processes that they want to keep. Both teams also require resource-level change-set reviews. The software development team would like to deploy changes to this template using their Cl/CD pipeline. Which solution will meet these requirements?
A. Create a stack export from the database CloudFormation template and import thosereferences into the web application CloudFormation template
B. Create a CloudFormation nested stack to make cross-stack resource references andparameters available in both stacks.
C. Create a CloudFormation stack set to make cross-stack resource references andparameters available in both stacks.
D. Create input parameters in the web application CloudFormation template and passresource names and IDs from the database stack.
A company wants to use AWS Systems Manager documents to bootstrap physical laptops for developers The bootstrap code Is stored in GitHub A DevOps engineer has already created a Systems Manager activation, installed the Systems Manager agent with the registration code, and installed an activation ID on all the laptops. Which set of steps should be taken next?
A. Configure the Systems Manager document to use the AWS-RunShellScnpt command tocopy the files from GitHub to Amazon S3, then use the aws-downloadContent plugin with asourceType of S3
B. Configure the Systems Manager document to use the aws-configurePackage plugin withan install action and point to the Git repository
C. Configure the Systems Manager document to use the aws-downloadContent plugin witha sourceType of GitHub and sourcelnfo with the repository details.
D. Configure the Systems Manager document to use the aws:softwarelnventory plugin andrun the script from the Git repository
A company has a mission-critical application on AWS that uses automatic scaling The company wants the deployment lilecycle to meet the following parameters. • The application must be deployed one instance at a time to ensure the remaining fleet continues to serve traffic • The application is CPU intensive and must be closely monitored • The deployment must automatically roll back if the CPU utilization of the deployment instance exceeds 85%. Which solution will meet these requirements?
A. Use AWS CloudFormalion to create an AWS Step Functions state machine and AutoScaling hfecycle hooks to move to one instance at a time into a wait state Use AWSSystems Manager automation to deploy the update to each instance and move it back intothe Auto Scaling group using the heartbeat timeout
B. Use AWS CodeDeploy with Amazon EC2 Auto Scaling. Configure an alarm tied to theCPU utilization metric. Use the CodeDeployDefault OneAtAtime configuration as adeployment strategy Configure automatic rollbacks within the deployment group to roll backthe deployment if the alarm thresholds are breached
C. Use AWS Elastic Beanstalk for load balancing and AWS Auto Scaling Configure analarm tied to the CPU utilization metric Configure rolling deployments with a fixed batchsize of one instance Enable enhanced health to monitor the status of the deployment androll back based on the alarm previously created.
D. Use AWS Systems Manager to perform a blue/green deployment with Amazon EC2Auto Scaling Configure an alarm tied to the CPU utilization metric Deploy updates one at atime Configure automatic rollbacks within the Auto Scaling group to roll back thedeployment if the alarm thresholds are breached
A company has 20 service learns Each service team is responsible for its own microservice. Each service team uses a separate AWS account for its microservice and a VPC with the 192 168 0 0/22 CIDR block. The company manages the AWS accounts with AWS Organizations. Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer. The microservices communicate with each other across the public internet. The company's security team has issued a new guideline that all communication between microservices must use HTTPS over private network connections and cannot traverse the public internet. A DevOps engineer must implement a solution that fulfills these obligations and minimizes the number of changes for each service team. Which solution will meet these requirements?
A. Create a new AWS account in AWS Organizations Create a VPC in this account anduse AWS Resource Access Manager to share the private subnets of this VPC with theorganization Instruct the service teams to launch a new. Network Load Balancer (NLB) and EC2 instances that use the shared private subnets Use the NLB DNS names forcommunication between microservices.
B. Create a Network Load Balancer (NLB) in each of the microservice VPCs Use AWSPrivateLink to create VPC endpoints in each AWS account for the NLBs Createsubscriptions to each VPC endpoint in each of the other AWS accounts Use the VPCendpoint DNS names for communication between microservices.
C. Create a Network Load Balancer (NLB) in each of the microservice VPCs Create VPCpeering connections between each of the microservice VPCs Update the route tables foreach VPC to use the peering links Use the NLB DNS names for communication betweenmicroservices.
D. Create a new AWS account in AWS Organizations Create a transit gateway in thisaccount and use AWS Resource Access Manager to share the transit gateway with theorganization. In each of the microservice VPCs. create a transit gateway attachment to theshared transit gateway Update the route tables of each VPC to use the transit gatewayCreate a Network Load Balancer (NLB) in each of the microservice VPCs Use the NLBDNS names for communication between microservices.
A security team is concerned that a developer can unintentionally attach an Elastic IP address to an Amazon EC2 instance in production. No developer should be allowed to attach an Elastic IP address to an instance. The security team must be notified if any production server has an Elastic IP address at any time How can this task be automated'?
A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-addressattempts Create an AWS Lambda function to disassociate the Elastic IP address from theinstance, and alert the security team.
B. Attach an 1AM policy to the developers' 1AM group to deny associate-addresspermissions Create a custom AWS Config rule to check whether an Elastic IP address isassociated with any instance tagged as production, and alert the security team
C. Ensure that all 1AM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IPaddress is associated with any instance tagged as production, and alert the secunty team ifan instance has an Elastic IP address associated with it
D. Create an AWS Config rule to check that all production instances have EC2 1AM rolesthat include deny associate-address permissions Verify whether there is an Elastic IPaddress associated with any instance, and alert the security team if an instance has anElastic IP address associated with it.
A company is using AWS CodePipeline to deploy an application. According to a new guideline, a member of the company's security team must sign off on any application changes before the changes are deployed into production. The approval must be recorded and retained. Which combination of actions will meet these requirements? (Select TWO.)
A. Configure CodePipeline to write actions to Amazon CloudWatch Logs.
B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of eachpipeline stage.
C. Create an AWS CloudTrail trail to deliver logs to Amazon S3.
D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval.Create a policy that gives the security team access to manage CodePipeline customactions.
E. Create a CodePipeline manual approval action before the deployment step. Create apolicy that grants the security team access to approve manual approval stages.
A company has an AWS CodeDeploy application. The application has a deployment group that uses a single tag group to identify instances for the deployment of ApplicationA. The single tag group configuration identifies instances that have Environment=Production and Name=ApplicattonA tags for the deployment of ApplicationA. The company launches an additional Amazon EC2 instance with Department=Marketing Environment^Production. and Name=ApplicationB tags. On the next CodeDeploy deployment of ApplicationA. the additional instance has ApplicationA installed on it. A DevOps engineer needs to configure the existing deployment group to prevent ApplicationA from being installed on the additional instance Which solution will meet these requirements?
A. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Name=ApplicationA tag.
B. Change the current single tag group to include the Department=MarketmgEnvironment=Production and Name=ApplicationAtags
C. Add another single tag group that includes only the Department=Marketing tag. Keepthe Environment=Production and Name=ApplicationA tags with the current single tag group
D. Change the current single tag group to include only the Environment=Production tagAdd another single tag group that includes only the Department=Marketing tag
A company uses an organization in AWS Organizations to manage its AWS accounts. The company recently acquired another company that has standalone AWS accounts. The acquiring company's DevOps team needs to consolidate the administration of the AWS accounts for both companies and retain full administrative control of the accounts. The DevOps team also needs to collect and group findings across all the accounts to implement and maintain a security posture. Which combination of steps should the DevOps team take to meet these requirements? (Select TWO.)
A. Invite the acquired company's AWS accounts to join the organization. Create an SCPthat has full administrative privileges. Attach the SCP to the management account.
B. Invite the acquired company's AWS accounts to join the organization. Create theOrganizationAccountAccessRole 1AM role in the invited accounts. Grant permission to themanagement account to assume the role.
C. Use AWS Security Hub to collect and group findings across all accounts. Use SecurityHub to automatically detect new accounts as the accounts are added to the organization.
D. Use AWS Firewall Manager to collect and group findings across all accounts. Enable allfeatures for the organization. Designate an account in the organization as the delegatedadministrator account for Firewall Manager.
E. Use Amazon Inspector to collect and group findings across all accounts. Designate anaccount in the organization as the delegated administrator account for Amazon Inspector.