ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 173 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 173
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A company has a data ingestion application that runs across multiple AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application.

To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company's security team must receive a notification whenever the instances are accessed.

Which solution will meet these requirements?

  • A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using AWS CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes AWS Systems Manager Agent.
  • B. Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install AWS Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon 83 for auditing. Send notifications to the security team by using S3 event notifications.
  • C. Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedlnstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
  • D. Use AWS Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure AWS Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Oleg_gol at Jan. 15, 2023, 12:48 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Oleg_gol
Highly Voted 2 years, 5 months ago
Selected Answer: D
I agree
upvoted 5 times
...
YR4591
Most Recent 1 year, 8 months ago
Selected Answer: C
D is incorrect. You can't use Config to configure SCP.
upvoted 2 times
vn_thanhtung
1 year, 1 month ago
correct answer is C https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html
upvoted 1 times
...
...
easytoo
2 years, 2 months ago
I think it's C guys.
upvoted 1 times
...
daheck
2 years, 2 months ago
Selected Answer: C
D is incorrect because AWS Config cannot configure resources
upvoted 2 times
...
Eah1
2 years, 4 months ago
Selected Answer: C
C seems correct
upvoted 1 times
...
LoveToronto
2 years, 4 months ago
Selected Answer: D I agree
upvoted 3 times
...
Mark1000
2 years, 4 months ago
The role does not exist, it is a policy as has been said; moreover, the statement talks about organisations and the answer C does not reflect any relationship .... while in D it does, that and the platform indicates D.... so I will choose D (I do not assure that it is not C, but I mark D).
upvoted 3 times
...
Piccaso
2 years, 4 months ago
Selected Answer: D
Agree with DerekKey, AmazonSSMManagedlnstanceCore is an IAM policy, not a role. AWS Systems Manager Automation is a tool we need.
upvoted 3 times
vn_thanhtung
1 year, 1 month ago
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html pls before comment check document
upvoted 1 times
...
...
Bulti
2 years, 5 months ago
Selected Answer: C
Answer is C. D is incorrect because AWS Config cannot configure resources but only can define rules that the resources should comply with. Therefore the answer is C. Even if AmazonSSMManagedlnstanceCore is a managed policy and not an IAM role I will go with C because this policy is to be attached to an IAM role for EC2 to access System Manager.
upvoted 2 times
...
saeidp
2 years, 5 months ago
Selected Answer: C
C for me D seems wrong: AWS Config to attach an SCP to the root organization is wrong you don't need aws config to apply SCP to root or ou's SCP allow, doesn't provide the necessary permissions for EC2 to access SSM. SCP is designed to limit accounts to access resources otherwise by default root enables accessing for all accounts
upvoted 3 times
...
ericzaj
2 years, 5 months ago
Selected Answer: C
D seems misleading. Can't find documentation of using AWS Config to attach an SCP. "Configure AWS Config to attach an SCP to the root organization account". Wouldn't you do this in AWS Organizations?
upvoted 2 times
...
DerekKey
2 years, 5 months ago
AmazonSSMManagedlnstanceCore is the IAM policy, not a role - C is wrong
upvoted 3 times
...
Dimidrol
2 years, 5 months ago
Selected Answer: C
C for me
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel