Exam AWS DevOps Engineer Professional topic 1 question 4 discussion

I choose B&C. A - wrong. There is no need to open doors. B - Correct C - Correct D - System Manager does not need a bation host. It's wrong. Ref: https://aws.amazon.com/en/blogs/aws/new-session-manager/ https://cloudonaut.io/goodbye-ssh-use-aws-session-manager-instead/

B,C is the right answer.

To use AWS Systems Manager Session Manager, the first step is to attach an IAM policy with the necessary Systems Manager permissions to the IAM instance profile associated with the EC2 instances. This will grant the instances permission to use Systems Manager to start and stop sessions using Session Manager. Next, to ensure that access to Session Manager takes place over a private network only, a VPC endpoint for Systems Manager needs to be created in the desired VPC. This endpoint will allow the instances in the VPC to communicate with the Systems Manager service without needing to traverse the public internet. Therefore, options A, D, and E are incorrect because they are not relevant to the scenario.

looks right

B,C is the right answer.

B and C

b and c

Remaining Question # 58 (Topic 2) A. Update the attached IAM policies to allow access to the appropriate KMS key from the CodeDeploy role where the application will be deployed. B. Update the attached IAM policies to allow access to the appropriate KMS key from the EC2 instance roles where the application will be deployed. C. Update the CMK key policy to allow access to the appropriate KMS key from the CodeDeploy role where the application will be deployed. D. Update the CMK key policy to allow access to the appropriate KMS key from the EC2 instance roles where the application will be deployed. Answer-A

Question # 57 (Topic 2) A company uses AWS KMS with CMKs and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days. Which solution will accomplish this? A. Configure AWS KMS to publish to an Amazon SNS topic when keys are more than 90 days old. B. Configure an Amazon CloudWatch Events event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon SNS topic. C. Develop an AWS Config custom rule that publishes to an Amazon SNS topic when keys are more than 90 days old. D. Configure AWS Security Hub lo publish to an Amazon SNS topic when keys are more than 90 days old.

Remaining Question # 56 (Topic 2) B. Establish a permission boundary in the master account to restrict Regions and authorized services. Use AWS CloudFormation StackSet to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account. C. Establish a service control policy in the master account to restrict Regions and authorized services. Use AWS Resource Access Manager to share master account roles with permissions for each job function, including AWS SSO for authentication in each account. D. Establish a service control policy in the master account to restrict Regions and authorized services. Use CloudFormation StackSet to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.

Question # 56 (Topic 2) A company is using AWS Organizations and wants to implement a governance strategy with the following requirements: AWS resource access is restricted to the same two Regions for all accounts. AWS services are limited to a specific group of authorized services for all accounts. Authentication is provided by Active Directory. Access permissions are organized by job function and are identical in each account. Which solution will meet these requirements? A. Establish an organizational unit (OU) with group policies in the master account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.

Remaining Question # 55 (Topic 2) A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions Attach the policy to the root of the organization. B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions. C. Use an AWS Lambda function that checks for AWS service activity and deploy it to all Regions Write an Amazon CloudWatch Events rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region. D. Use an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found. E. Write a SCP using the awsRequestedRegion condition key limiting access to US Regions Apply the policy to all users, groups, and roles.

Question # 55 (Topic 2) A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which Regions can be used. and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place The controls should be automatically enabled on any new Region outside the United States. Which combination of actions will meet these requirements? (Select TWO)

B and C for me

BC. D is wrong, SM replaces Bastion

I'll go with B,C

B,C https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/