ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 113 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 113
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company has a data ingestion application that runs across multiple AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application.

To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company’s security team must receive a notification whenever the instances are accessed.

Which solution will meet these requirements?

  • A. Create an Amazon EventBridge rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using AWS CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes AWS Systems Manager Agent.
  • B. Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install AWS Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon S3 for auditing. Send notifications to the security team by using S3 event notifications.
  • C. Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
  • D. Use AWS Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure AWS Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by 2pk at May 14, 2023, 2:07 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Blueee
Highly Voted 1 year, 10 months ago
Selected Answer: C
C and D are left over choice due to no internet access for EC2 C is correct By using EC2 Image Builder to rebuild the custom AMI and including the most recent version of AWS Systems Manager Agent in the image, you can configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore role to all the EC2 instances. This allows you to use Systems Manager Session Manager to log in to the instances. You can enable logging of session details to Amazon S3 and create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic2
upvoted 7 times
...
thanhnv142
Highly Voted 1 year, 3 months ago
C is correct: <The company needs to monitor the application and consolidate access to the application> means using SSM. We should install SSM agent on all EC2 instances. <The EC2 instances run a custom AMI that is built specifically for the application> means we should rebuild the image and integrate agent into the AMI. To rebuild, the best option is EC2 image builder. <The company’s security team must receive a notification whenever the instances are accessed.> means SNS A: <Rebuild the custom AMI so that the custom AMI includes AWS Systems Manager Agent.>: no mention of using EC2 image builder and SNS B: no mention of integrating SSM agents into the AMI and we cannot just send S3 noti to users <Send notifications to the security team by using S3 event notifications.> D: no me ntion of using EC2 image builder to rebuild the AMI.
upvoted 6 times
...
Saudis
Most Recent 5 months, 3 weeks ago
Ans is C because The keyword is access must be automated and controlled centrally
upvoted 1 times
...
jamesf
9 months ago
Selected Answer: C
- AWS Systems Manager Agent - Systems Manager Session Manager for login the instances - enable logging of session details to s3 - s3 event notification to SNS.
upvoted 2 times
...
dkp
1 year ago
Selected Answer: C
C is correct
upvoted 1 times
...
haazybanj
1 year, 9 months ago
Selected Answer: C
C Option C offers a well-architected approach to addressing the requirements, providing both centralized access and logging, and automated login to EC2 instances for system administrators. Additionally, it ensures that the security team receives notifications for auditing and monitoring purposes.
upvoted 2 times
...
PhuocT
1 year, 11 months ago
D is not a good option for the following reasons: 1. AWS Systems Manager Automation is not the ideal choice for building a custom AMI. Instead, EC2 Image Builder, as stated in option C, is an AWS service designed for building, testing, and maintaining Golden Amazon Machine Images (AMIs), making it a suitable choice for both building and managing custom AMIs. 2. The option D suggests attaching an SCP (Service Control Policy) to the root organization to allow EC2 instances to connect to Systems Manager. This approach is incorrect because SCPs are used to define permissions on an organizational level, rather than allowing specific access between resources like EC2 instances and Systems Manager. Attaching the AmazonSSMManagedInstanceCore role to EC2 instances as mentioned in option C is the correct method, which allows instances to communicate with Systems Manager.
upvoted 3 times
...
2pk
1 year, 11 months ago
if someone know why D is not correct , pls post
upvoted 1 times
MarDog
1 year, 10 months ago
Because I don't think AWS Config can be used to attach an SCP.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago