ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 8 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 8
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has configured AWS Config for the organization. During an audit, the company finds some externally facing ALBs that are not associated with AWS WAF web ACLs.
Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.)

  • A. Delegate AWS Firewall Manager to a security account.
  • B. Delegate Amazon GuardDuty to a security account.
  • C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
  • D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
  • E. Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
by Dimidrol at April 5, 2023, 12:30 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ataince
Highly Voted 1 year, 7 months ago
Selected Answer: AC
If you see WAF you have to think AWS Firewall Manager.
upvoted 12 times
...
alce2020
Highly Voted 2 years ago
A and C
upvoted 10 times
...
ele
Most Recent 7 months, 1 week ago
Selected Answer: AC
If instead you want to automatically apply the policy to existing in-scope resources, choose Auto remediate any noncompliant resources. This option creates a web ACL in each applicable account within the AWS organization and associates the web ACL with the resources in the accounts. When you choose Auto remediate any noncompliant resources, you can also choose to remove existing web ACL associations from in-scope resources, for the web ACLs that aren't managed by another active Firewall Manager policy. If you choose this option, Firewall Manager first associates the policy's web ACL with the resources, and then removes the prior associations. If a resource has an association with another web ACL that's managed by a different active Firewall Manager policy, this choice doesn't affect that association.
upvoted 1 times
...
namtp
9 months ago
Selected Answer: AC
I think that is best way to centralize manage firewall config
upvoted 1 times
...
jamesf
9 months, 2 weeks ago
Selected Answer: AC
As my understanding, WAF related with AWS Firewall Manager.
upvoted 1 times
...
Gomer
11 months, 2 weeks ago
Selected Answer: AC
These references indicate this can all be handled within Firewall manager (w/no references to Config or GuardDuty) https://aws.amazon.com/blogs/security/how-to-enforce-a-security-baseline-for-an-aws-waf-acl-across-your-organization-using-aws-firewall-manager/ https://aws.amazon.com/solutions/implementations/automations-for-aws-firewall-manager/
upvoted 2 times
Gomer
11 months, 2 weeks ago
In reading a little further, I suspect that Config may be being used in the background (since Config must be enabled to use WAF. However, I believe that is totally transparent to the Organization WAF Administrator. The administration of WAF and enforcement of WAF policies is ALL handled with the Web Application Firewall service.
upvoted 1 times
...
...
01037
12 months ago
Selected Answer: AC
I think E works, but Firewall manager is designed for the purpose.
upvoted 1 times
GripZA
2 weeks, 2 days ago
AWS Config can't auto remediate unless there's additional integration, eg with Lambda.
upvoted 1 times
...
...
Cervus18
1 year, 1 month ago
Selected Answer: AC
A and C: AWS Config rules are primarily used for monitoring and evaluating the configurations of your AWS resources for compliance with desired configurations. However, AWS Config also supports remediation actions through AWS Systems Manager Automation documents.
upvoted 1 times
...
Vitalydt
1 year, 2 months ago
Selected Answer: CE
Why not E?
upvoted 1 times
01037
12 months ago
I think E works, but Firewall manager is designed for the purpose.
upvoted 1 times
...
Cervus18
1 year, 1 month ago
AWS Config rules are primarily used for monitoring and evaluating the configurations of AWS resources for compliance with desired configurations. However, AWS Config also supports remediation actions through AWS Systems Manager Automation documents or lambda. Firewall manager is used to apply and enforce WebACLs to all ALBs at an organizational level to all your AWS Organization's accounts, and you can configure auto remidation for any non-compliant resource in any account.
upvoted 1 times
...
...
thanhnv142
1 year, 3 months ago
A and C: Config does not have any action, only notifications
upvoted 2 times
...
Fco_Javier
1 year, 9 months ago
A) is a prerequisites: AWS Firewall Manager prerequisites https://docs.aws.amazon.com/es_es/waf/latest/developerguide/join-aws-orgs.html
upvoted 2 times
...
habros
1 year, 10 months ago
Selected Answer: AC
GuardDuty only posts findings, hence they can be eliminated. From my knowledge, Config only notifies. Hence, A and C.
upvoted 2 times
...
Dimidrol
2 years ago
Selected Answer: AC
A C for me
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago