ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 55 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 55
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company has deployed an application in a production VPC in a single AWS account. The application is popular and is experiencing heavy usage. The company’s security team wants to add additional security, such as AWS WAF, to the application deployment. However, the application's product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary.
The security team believes that some of the application's demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.
Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?

  • A. Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
  • B. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucket. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny list. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can access. Create a threshold alert of 1 for successful access. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.
  • C. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucket. Configure an Amazon OpenSearch Service cluster and domain for the log files. Create an AWS Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluster. Schedule the Lambda function to run every 5 minutes. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.
  • D. Create a log group in Amazon CloudWatch Logs. Create an Amazon S3 bucket to hold query results. Configure the VPC flow log to capture all traffic and to send the data to the log group. Deploy an Amazon Athena CloudWatch connector in AWS Lambda. Connect the connector to the log group. Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucket. Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by alce2020 at April 15, 2023, 5:24 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
madperro
Highly Voted 1 year, 6 months ago
Selected Answer: A
A meets the requirements at the lowest cost.
upvoted 8 times
...
habros
Highly Voted 1 year, 5 months ago
Selected Answer: A
opensearch cost a lot of $$$. Athena got tons of things to do afterwards. It's used purely for interactive query. natively, vpcflow sends logs to s3 or cloudwatch logs. no brainer answer
upvoted 5 times
...
thanhnv142
Most Recent 11 months ago
A is correct: push all VPC flow log to cloudwatch logs. Create metric filter to find denied IP addresses. Create cloudwatch alarm with the metric filter as input. Alarm's action is send noti to Security team via SNS B: "Configure the alert to automatically notify the security team": alert cannot notify by itself. Must use SNS C: This option uses both S3 bucket and "Amazon OpenSearch Service cluster" to store log files, which would cost a lot of money and unnecessary D: This option uses both S3 bucket and VPC flow log to store log files, which is costly
upvoted 2 times
...
ele
1 year, 7 months ago
Selected Answer: A
A most cost effective
upvoted 2 times
...
haazybanj
1 year, 8 months ago
Selected Answer: A
To meet the requirements most cost-effectively, the DevOps engineer should create a log group in Amazon CloudWatch Logs and configure the VPC flow log to capture accepted traffic and to send the data to the log group. Then, create an Amazon CloudWatch metric filter for IP addresses on the deny list and create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Finally, use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team. Option A is the correct answer. It provides a cost-effective solution that meets the requirements. The CloudWatch alarm notifies the security team in near real-time when traffic from an IP address on the deny list is detected. This will help the security team document that the application needs additional security. This solution only requires the use of AWS services that the company is already using, and does not require any additional services or tools.
upvoted 4 times
...
haazybanj
1 year, 8 months ago
D. Create an Amazon EventBridge rule that reacts to the pullRequestStatusChanged event. Create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Program the Lambda function to post the CodeBuild test results as a comment on the pull request when the test results are complete.
upvoted 1 times
BaburTurk
1 year, 3 months ago
Option D does not mention an event bridge rule
upvoted 1 times
zolthar_z
1 year, 1 month ago
This answer is for a previous question
upvoted 1 times
...
...
...
haazybanj
1 year, 8 months ago
The best way to automate testing of pull requests in CodeCommit is to use Amazon EventBridge rules to detect pullRequestStatusChanged events, which are triggered when a pull request's status changes. When this event occurs, the DevOps engineer can create an AWS Lambda function that invokes a CodePipeline pipeline with a CodeBuild action that runs the tests for the application. Finally, program the Lambda function to post the CodeBuild test results as a comment on the pull request when the test results are complete. This approach ensures that reviewers more easily see the results of automated tests as part of the pull request review, without the need to perform manual testing or rollbacks in the codebase.
upvoted 2 times
...
alce2020
1 year, 8 months ago
Selected Answer: A
A seems correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel