ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 80 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 80
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A DevOps engineer wants to implement an automated response that will occur if AWS Trusted Advisor detects an IAM access key in a public source code repository. The automated response must delete the exposed access key and must notify the security team.
Which solution will meet these requirements?

  • A. Create an AWS Lambda function to delete the 1AM access key. Configure AWS CloudTrail logs to stream to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.
  • B. Create an AWS Lambda function to delete the IAM access key. Create an AWS Config rule for changes to "aws.trustedadvisor" and the "Exposed Access Keys" status with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.
  • C. Create an AWS Lambda function that deletes the IAM access key and then uses Amazon Simple Notification Service (Amazon SNS) to notify the security team. Create an AWS Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event. Set the target of the Personal Health Dashboard rule to the ARN of the Lambda function.
  • D. Create an AWS Lambda function that deletes the IAM access key. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an "aws.trustedadvisor" event source and the "Exposed Access Keys" status. Set the EventBridge (CloudWatch Events) rule to target the Lambda function and an Amazon Simple Notification Service (Amazon SNS) topic that notifies the security team.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by ohcn at Sept. 2, 2022, 1:45 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
daheck
2 years, 3 months ago
Selected Answer: D
For option C we need Step Function to trigger the Lambda function, as can be seen in the provided links bellow. Step Functions are not mentioned in answer C, so the only valid option would be D
upvoted 1 times
...
Appon
2 years, 3 months ago
Selected Answer: D
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html
upvoted 2 times
...
asfsdfsdf
2 years, 4 months ago
Selected Answer: D
A - there are no actions for Cloudwatch Logs metric filter B - AWS Config is not relevant for this use case as it monitors resources status/compliance C - There is no such thing Health dashboard event rule, need to use cloudwatch event rule D - Correct
upvoted 2 times
...
dsilverio70
2 years, 4 months ago
D: EventBridge Pattern { "source": ["aws.health"], "detail-type": ["AWS Health Event"], "detail": { "service": ["RISK"], "eventTypeCategory": ["issue"], "eventTypeCode": ["AWS_RISK_CREDENTIALS_EXPOSED", "AWS_RISK_CREDENTIALS_COMPROMISED", "AWS_RISK_CREDENTIALS_EXPOSURE_SUSPECTED", "AWS_RISK_CREDENTIALS_COMPROMISE_SUSPECTED"] } }
upvoted 2 times
...
saeidp
2 years, 4 months ago
Selected Answer: D
There are two issues with C It should use event bridge which is not mentioned It is aws.health event not the health dashboard event
upvoted 1 times
...
BelloMio
2 years, 4 months ago
I correct myself, it's not C because the event should be coming from aws health events. not health dashboard events
upvoted 1 times
BelloMio
2 years, 4 months ago
pls remove this comment, thank you. I recorrect myself, the answer is C
upvoted 1 times
...
...
BelloMio
2 years, 4 months ago
Looks to me to be C. https://github.com/aws/aws-health-tools/blob/master/automated-actions/AWS_RISK_CREDENTIALS_EXPOSED/README.md
upvoted 3 times
BelloMio
2 years, 4 months ago
Definitely C
upvoted 1 times
...
saeidp
2 years, 4 months ago
Eventbridge is also missing in C
upvoted 1 times
BelloMio
2 years, 4 months ago
It’s integrated in the service. You have a tab for it
upvoted 1 times
...
...
...
Bulti
2 years, 5 months ago
D is correct. C is not because AWS health does not work with Trusted Advisor and the question talks about detecting credentials using AWS trusted advisor.
upvoted 2 times
...
saeidp
2 years, 6 months ago
D for sure https://github.com/aws/Trusted-Advisor-Tools/blob/master/ExposedAccessKeys/README.md
upvoted 1 times
...
neta1o
2 years, 7 months ago
Selected Answer: D
I was initially leaning toward C. But the wording says "Create an AWS Personal Health Dashboard rule". The rule is technically created in EventBridge. For that reason I'd go with D.
upvoted 4 times
...
bartekb3d
2 years, 8 months ago
Selected Answer: C
https://aws.amazon.com/blogs/compute/automate-your-it-operations-using-aws-step-functions-and-amazon-cloudwatch-events/
upvoted 2 times
...
quixo
2 years, 9 months ago
I will go with C. Public access key <--> AWS Health <--> Event Bridge <--> Lambda Func. Refer: https://aws.amazon.com/blogs/compute/automate-your-it-operations-using-aws-step-functions-and-amazon-cloudwatch-events/
upvoted 4 times
...
Goozian
2 years, 9 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
hankun
2 years, 10 months ago
C is true https://aws.amazon.com/blogs/compute/automate-your-it-operations-using-aws-step-functions-and-amazon-cloudwatch-events/
upvoted 1 times
...
ohcn
2 years, 10 months ago
Selected Answer: D
D - Seems to be the right one. But wording around Exposed Access Key status is kinda wrong. Status should be error and check-name should be Exposed Access Key. https://github.com/aws/Trusted-Advisor-Tools/tree/master/ExposedAccessKeys C is also doable, but I don't think this is the case. https://www.examtopics.com/discussions/amazon/view/4893-exam-aws-devops-engineer-professional-topic-1-question-64/
upvoted 1 times
BelloMio
2 years, 4 months ago
it's C. Literal copy paste https://github.com/aws/aws-health-tools/blob/master/automated-actions/AWS_RISK_CREDENTIALS_EXPOSED/README.md
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel