ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 429 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 429
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company prefers to limit running Amazon EC2 instances to those that were launched from AMIs pre-approved by the Information Security department. The
Development team has an agile continuous integration and deployment process that cannot be stalled by the solution.
Which method enforces the required controls with the LEAST impact on the development process? (Choose two.)

  • A. Use IAM policies to restrict the ability of users or other automated entities to launch EC2 instances based on a specific set of pre-approved AMIs, such as those tagged in a specific way by Information Security.
  • B. Use regular scans within Amazon Inspector with a custom assessment template to determine if the EC2 instance that the Amazon Inspector Agent is running on is based upon a pre-approved AMI. If it is not, shut down the instance and inform Information Security by email that this occurred.
  • C. Only allow launching of EC2 instances using a centralized DevOps team, which is given work packages via notifications from an internal ticketing system. Users make requests for resources using this ticketing tool, which has manual information security approval steps to ensure that EC2 instances are only launched from approved AMIs.
  • D. Use AWS Config rules to spot any launches of EC2 instances based on non-approved AMIs, trigger an AWS Lambda function to automatically terminate the instance, and publish a message to an Amazon SNS topic to inform Information Security that this occurred.
  • E. Use a scheduled AWS Lambda function to scan through the list of running instances within the virtual private cloud (VPC) and determine if any of these are based on unapproved AMIs. Publish a message to an SNS topic to inform Information Security that this occurred and then shut down the instance.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by awsec2 at Sept. 12, 2019, 10:12 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 3 years, 8 months ago
AD A: https://aws.amazon.com/premiumsupport/knowledge-center/restrict-launch-tagged-ami/ B: Amazon Inspector is an automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances. C: Delays the deployment. D: This ensure that the compliance is enforced. E: Not effective.
upvoted 32 times
SD13
3 years, 7 months ago
A will impact the development process.
upvoted 2 times
memester
3 years, 7 months ago
I agree... Straight from Jon Bonso exam: The option that says: Set up IAM policies to restrict the ability of users to launch EC2 instances based on a specific set of pre-approved AMIs which were tagged by the Security team is incorrect because setting up an IAM Policy will totally restrict the development team from launching EC2 instances with unapproved AMIs which could impact their CI/CD process. The scenario clearly says that the solution should not have any interruption in the company's development process.
upvoted 1 times
StelSen
3 years, 7 months ago
Jon Bonso is also wrong then. Because Option-D will also have disruption. So left with E is only good choice? Both memester and SD13, please tell us ur answer when reply. I am still stick to A D.
upvoted 2 times
...
...
...
...
awsec2
Highly Voted 3 years, 8 months ago
a, d https://aws.amazon.com/premiumsupport/knowledge-center/restrict-launch-tagged-ami/
upvoted 11 times
dpvnme
3 years, 8 months ago
Yes, I think A&D are the best choices here
upvoted 2 times
...
...
AjayPrajapati
Most Recent 2 years, 7 months ago
Selected Answer: AD
E doesn't sound correct. why to have new lamda to scan all VM. remember lambda has limited run time of 15 minute. what if you have ton of VMs.
upvoted 1 times
Byrney
2 years, 7 months ago
The Lambda doesn't scan the VMs themselves, it scans a *list* of all the VMs and compares each entry with the approved AMI list. That won't take anything like 15 minutes.
upvoted 1 times
...
...
mrgreatness
2 years, 7 months ago
Answer is 100% A & D -- you can specify tags in conditions, so have a tag that only allows RunInstance with a specific AMI. Its definitely A & D -- D because Config is perfect solution. I'm 100% certain of this
upvoted 1 times
...
JohnPi
2 years, 8 months ago
Selected Answer: DE
D&E Security team is incorrect because setting up an IAM Policy will totally restrict the development team from launching EC2 instances with unapproved AMIs
upvoted 1 times
...
akash_it
2 years, 8 months ago
D , E is correct
upvoted 1 times
...
epomatti
2 years, 9 months ago
Selected Answer: DE
A will block development. Only options that make sense are D and E.
upvoted 2 times
...
jj22222
3 years, 2 months ago
Selected Answer: AD
AD are right
upvoted 3 times
...
futen0326
3 years, 3 months ago
D E If you're already settled on using D why would you also use A? You've already taken care of the launch requirement, now we must solve the potential issue of unapproved AMIs that are may be past launch, but running.
upvoted 1 times
...
cannottellname
3 years, 4 months ago
AAAAAA DDDDDD
upvoted 1 times
...
tkanmani76
3 years, 5 months ago
A and D - refer link for A - https://aws.amazon.com/premiumsupport/knowledge-center/restrict-launch-tagged-ami/
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
AD is right
upvoted 1 times
...
andylogan
3 years, 7 months ago
It's A D
upvoted 1 times
...
DerekKey
3 years, 7 months ago
D&E A is WRONG - since it will stall agile continuous integration and deployment process that cannot be stalled by the solution B - incorrect C - refer to A
upvoted 2 times
...
WhyIronMan
3 years, 7 months ago
I'll go with A,D
upvoted 2 times
...
Waiweng
3 years, 7 months ago
will go for A,D
upvoted 2 times
...
ppshein
3 years, 7 months ago
D, E is the best for me.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel