Version:21.0
Question:1
Torunanapplication,aDevOpsEngineerlaunchesanAmazonEC2instanceswithpublicIPaddressesin apublicsubnet.Auserdatascriptobtainstheapplicationartifactsandinstallsthemontheinstances uponlaunch.Achangetothesecurityclassificationoftheapplicationnowrequirestheinstancestorun withnoaccesstotheInternet.Whiletheinstanceslaunchsuccessfullyandshowashealthy,the applicationdoesnotseemtobeinstalled.
Whichofthefollowingshouldsuccessfullyinstalltheapplicationwhilecomplyingwiththenewrule?
A. LaunchtheinstancesinapublicsubnetwithElasticIPaddressesattached. Oncetheapplicationis installedandrunning,runascripttodisassociatetheElasticIPaddressesafterwards.
B.SetupaNATgateway.DeploytheEC2instancestoaprivatesubnet.Updatetheprivatesubnet'sroute tabletousetheNATgatewayasthedefaultroute.
C.PublishtheapplicationartifactstoanAmazonS3bucketandcreateaVPCendpointforS3.Assignan IAMinstanceprofiletotheEC2instancessotheycanreadtheapplicationartifactsfromtheS3bucket.
D.Createasecuritygroupfortheapplicationinstancesandwhitelistonlyoutboundtraffictotheartifact repository.Removethesecuritygroupruleoncetheinstalliscomplete.
Answer:C
Explanation:
EC2instancesrunninginprivatesubnetsofaVPCcannowhavecontrolledaccesstoS3buckets,objects, andAPI functionsthatareinthesameregionastheVPC.YoucanuseanS3bucketpolicytoindicate which VPCs and which VPC Endpoints have access to your S3 buckets 1https://aws.amazon.com/pt/blogs/aws/new-vpc-endpoint-for-amazon-s3/
Question:2
AnITdepartmentmanagesaportfoliowithWindowsandLinux(AmazonandRedHatEnterpriseLinux) serversbothon-premisesandonAWS.AnauditrevealsthatthereisnoprocessforupdatingOSandcore application patches, and that the servers have inconsistent patch levels. Whichof thefollowingprovides theMOSTreliableandconsistent mechanismfor updatingand maintainingallserversattherecentOSandcoreapplicationpatchlevels?
A. Install AWSSystemsManageragentonall on-premisesandAWSservers. CreateSystemsManager ResourceGroups. UseSystemsManagerPatchManagerwithapreconfiguredpatchbaselinetorun scheduledpatchupdatesduringmaintenancewindows.
B.InstalltheAWSOpsWorksagentonallon-premisesandAWSservers.CreateanOpsWorksstackwith
separatelayersforeachoperatingsystem,andgetarecipefromtheChefsupermarkettorunthepatch commandsforeachlayerduringmaintenancewindows.
C.UseashellscripttoinstallthelatestOSpatchesontheLinuxserversusingyumandscheduleittorun automaticallyusingcron.UseWindowsUpdatetoautomaticallypatchWindowsservers.
D.UseAWSSystemsManagerParameterStoretosecurelystorecredentialsforeachLinuxandWindows server.CreateSystemsManagerResourceGroups.UsetheSystemsManagerRunCommandtoremotely deploypatchupdatesusingthecredentialsinSystemsManagerParameterStore
Answer:A
Explanation:
1- https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html
2-https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
Question:3
AcompanyissettingupacentralizedloggingsolutiononAWSandhasseveral requirements. The companywantsitsAmazonCloudWatchLogsandVPCFlowlogstocomefromdifferentsubaccountsand tobedeliveredtoasingleauditingaccount.However,thenumberofsubaccountskeepschanging.The company alsoneeds toindex the logs in the auditing account togather actionable insight. HowshouldaDevOpsEngineerimplementthesolutiontomeetallofthecompany'srequirements?
A.UseAWSLambdatowritelogstoAmazonESintheauditingaccount.CreateanAmazonCloudWatch subscriptionfilteranduseAmazonKinesisDataStreamsinthesubaccountstostreamthelogstothe Lambdafunctiondeployedintheauditingaccount.
B.UseAmazonKinesisStreamstowritelogstoAmazonESintheauditingaccount.CreateaCloudWatch subscriptionfilteranduseKinesisDataStreamsinthesubaccountstostreamthelogstotheKinesis streamintheauditingaccount.
C. UseAmazonKinesisFirehosewithKinesisDataStreamstowritelogstoAmazonESintheauditing account. CreateaCloudWatchsubscriptionfilterandstreamlogsfromsubaccountstotheKinesis streamintheauditingaccount.
D. UseAWSLambdatowritelogs toAmazonESintheauditingaccount. CreateaCloudWatch subscriptionfilteranduseLambdainthesubaccountstostreamthelogstotheLambdafunction deployedintheauditingaccount.
Answer:C
Explanation:
https://aws.amazon.com/pt/blogs/architecture/central-logging-in-multi-account-environments/
Question:4
Acompanywantstouseagridsystemforaproprietaryenterprisein-memorydatastoreontopofAWS. This system can run in multiple server nodes in any Linux-baseddistribution.Thesystemmustbeabletoreconfiguretheentireclustereverytimeanodeis addedor removed. Whenaddingor removingnodes, an/ etc./cluster/nodes.configfilemust be
updated, listing the IP addresses of the current node members of that cluster The company wants to automate the task of adding new nodes to a cluster. WhatcanaDevOpsEngineerdotomeettheserequirements?
A. UseAWSOpsWorksStackstolayer theserver nodesof that cluster. CreateaChef recipethat populatesthecontentofthe/etc/cluster/nodes.configfileandrestartstheservicebyusingthecurrent membersofthelayer.AssignthatrecipetotheConfigurelifecycleevent.
B.Putthefilenodes.configinversioncontrol.CreateanAWSCodeDeploydeploymentconfigurationand deploymentgroupbasedonanAmazonEC2tagvaluefortheclusternodes.Whenaddinganewnodeto thecluster,updatethefilewithalltaggedinstances,andmakeacommitinversioncontrol.Deploythe newfileandrestarttheservices.
C. CreateanAmazonS3bucketanduploadaversionof theetc/cluster/nodes.configfile. Createa crontabscriptthatwill pollforthatS3fileanddownloaditfrequently.Useaprocessmanager,suchas Monitorsystemd,torestarttheclusterserviceswhenitdetectsthatthenewfilewasmodified.When addinganodetothecluster,editthefile'smostrecentmembers.UploadthenewfiletotheS3bucket.
D. Createauserdatascriptthatlistsall membersof thecurrentsecuritygroupof theclusterand automaticallyupdatesthe/etc/cluster/nodes.configfilewheneveranewinstanceisaddedtothecluster
Answer:A
Explanation:
https://docs.aws.amazon.com/opsworks/latest/userguide/workingcookbook-events.html
Question:5
Acompanyhasestablishedtaggingandconfigurationstandardsforitsinfrastructureresourcesrunning onAWS.ADevOpsEngineerisdevelopingadesignthatwillprovideanear-real-timedashboardofthe compliance posture with the ability to highlight violations. Whichapproachmeetsthestatedrequirements?
A. DefinetheresourceconfigurationsinAWSServiceCatalog, andmonitortheAWSServiceCatalog complianceandviolationsinAmazonCloudWatch.Then,setupandsharealiveCloudWatchdashboard. SetupAmazonSNSnotificationsforviolationsandcorrections.
B.UseAWSConfigtorecordconfigurationchangesandoutputthedatatoanAmazonS3bucket.Create anAmazonQuickSightanalysisof thedataset, andusetheinformationondashboardsandmobile devices.
C.Createaresourcegroupthatdisplaysresourceswiththespecifiedtagsandthosewithouttags. Use theAWSManagementConsoletoviewcompliantandnon-compliantresources.
D.DefinethecomplianceandtaggingrequirementsinAmazoninspector.OutputtheresultstoAmazon CloudWatchLogs.Buildametricfiltertoisolatethemonitoredelementsofinterestandpresentthedata inaCloudWatchdashboard.
Answer:B
Explanation:
https://aws.amazon.com/about-aws/whats-new/2019/03/aws-config-now-supports-tagging-of-awsconfig-resources/
