ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 220 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 220
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.
  • B. Create an SCP that has a Deny statement for the ec2:* action with a condition of "aws:RequestTag/isolation": false.
  • C. Attach the SCP to the root of the organization.
  • D. Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to add a network ACL. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
  • E. Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
Show Suggested Answer Hide Answer
Suggested Answer: AE 🗳️
by ogerber at March 27, 2024, 6:17 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jay_2pt0_1
Highly Voted 11 months, 3 weeks ago
Selected Answer: AE
What a weirdly worded question. I tend to agree with A & E. We need to isolate an EC2 that has a certain tag.
upvoted 6 times
...
Jordarlu
Most Recent 6 months, 3 weeks ago
Selected Answer: AE
The B + C means no actions allowed on the tagged EC2 for all accounts in Organizations, but the asking was the needs of the isolation(implying the network isolation) on the tagged EC2; hence, A + E is a good option here..
upvoted 2 times
...
[Removed]
8 months, 2 weeks ago
Selected Answer: AE
vote for AE
upvoted 2 times
...
jamesf
9 months, 1 week ago
Selected Answer: AE
I go for AE isolating the instance should be mean block traffic
upvoted 3 times
...
trungtd
9 months, 3 weeks ago
Selected Answer: AE
This CloudFormation template creates the necessary resources: An EC2 instance role with no IAM policies, ensuring the instance cannot perform any actions. A security group with no inbound or outbound rules, effectively isolating the instance from all network traffic. A Lambda function that will be triggered by an EventBridge rule when a specific tag is applied to an EC2 instance. This function will attach the isolated security group to the compromised instance, ensuring it is isolated from any network communication. Combining these steps will provide an automated and consistent approach to isolate compromised EC2 instances across all AWS accounts in the organization.
upvoted 4 times
...
xdkonorek2
10 months, 2 weeks ago
Selected Answer: AE
BD is wrong isolating the instance doesn't mean "don't touch it" with aws actions but to block traffic from and to it
upvoted 3 times
...
seetpt
1 year ago
Selected Answer: BC
BC for me
upvoted 1 times
vn_thanhtung
11 months, 2 weeks ago
so funny, how to isolate incoming traffic. B,C means deny action with EC2
upvoted 3 times
vn_thanhtung
11 months, 2 weeks ago
Answer is A, E
upvoted 2 times
...
...
...
seetpt
1 year ago
Selected Answer: BC
BC for me
upvoted 1 times
...
dkp
1 year ago
Selected Answer: AE
ill go with AE
upvoted 4 times
...
Ola2234
1 year ago
CE for me. Option D is wrong because we can not use Security Group for an explicit deny rule. Option B is quite misleading with the resourceTagIsolation set to False instead of True.
upvoted 1 times
...
fdoxxx
1 year ago
Selected Answer: BC
in my opinion it could not be AE because we would need a mechanism to apply this template to the right EC2 - I would vote for BC
upvoted 3 times
chinchin97
8 months, 1 week ago
BC does not automate the isolation of instance. What it does is preventive measure that stops EC2 from perform action, but ultimately, it is still connected. You will need security groups to cut off access to and from the compromised EC2 instance. To have a complete solution, AE automates isolation based on tagging and deploy them to all EC2 instance, BC prevents any action by the EC2 using SCP. For this specific question, it is asking for the automation to isolate the EC2 instance so AE is the correct choice.
upvoted 1 times
...
...
ogerber
1 year, 1 month ago
Selected Answer: AE
A,E for me
upvoted 4 times
MalonJay
12 months ago
AE The question says isolate. What does isolate mean? Prevent outgoing and incoming traffic.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago