exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 4 discussion

A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.
Currently, the company’s developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack.
The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have.
Which solution will meet these requirements in the MOST operationally efficient way?

  • A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create a custom AWS Lambda function that will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
  • B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email addresses to the SNS topic. Create custom rules in CloudFormation Guard for each resource configuration. In the CI/CD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation template. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
  • C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email addresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWS account. Include an event notification to publish to the SQS queue when new objects are added to the S3 bucket. Require the developers to put their CloudFormation templates in the S3 bucket. Launch EC2 instances that automatically scale based on the SQS queue depth. Configure the EC2 instances to use CloudFormation Guard to scan the templates and deploy the templates if there are no issues. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
  • D. Create a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS account. Configure each CloudFormation template to meet the security requirements. For any new resources or configurations, update the CloudFormation template and send the template to the security team for review. When the review is completed, add the new CloudFormation stack to the repository for the developers to use.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
ET1857
2 months, 2 weeks ago
Selected Answer: A
because of line "configure a Docker image to run the cfn-guard command on the CloudFormation template." Option B should not be considered because its not a optimal solution
upvoted 3 times
...
hro
8 months, 2 weeks ago
The answer is A. What does docker have to do with the question? Furthermore, you can validate a template with validate-template - no need for cloudformation guard.
upvoted 1 times
DeaconStJohn
1 month, 1 week ago
the question is asking about code compliance and governance, cfn validate-template will check the template for valid JSON, this isnt the end goal in this scenario. Guard is an open source tool that uses both detective and preventative measures to enforce compliance on the code.
upvoted 1 times
...
DeaconStJohn
1 month, 1 week ago
I believe docker is being used as a distractor, its no less efficient. one line of code will pull the image and run the CFN Guard command, so operational efficiency is the same however the tool itself is more aligned with expected outcome in this scenario.
upvoted 1 times
...
...
Raphaello
10 months ago
Selected Answer: B
You may use a lambda function to validate the syntax and semantics of CloudFormation templates. But when it comes to validate to a compliance policy, CloudFormation Guard makes more sense. Option B is correct.
upvoted 2 times
...
Raphaello
11 months, 4 weeks ago
Command "aws cloudformation validate-template" checks only the syntax of cfn template. I'd go with answer B, CloudFormation Guard, as it evaluates and validates cfn templates.
upvoted 1 times
...
Aamee
1 year ago
Selected Answer: B
Def. going with B as it doesn't ask to improve the delivery speed. Had that been the case then probably would have gone with option A IMO.
upvoted 1 times
...
Christina666
1 year ago
Selected Answer: B
BBB The ask is to send notification and not affecting current delivery speed. So only need to add a validation step to send SNS
upvoted 1 times
...
Daniel76
1 year ago
Selected Answer: A
Option A likely is utilizing cfn-guard as well but by Lambda/cli command, instead of creating custom rules for each resource config.More operationally efficient than B.
upvoted 1 times
...
lalee2
1 year, 1 month ago
Selected Answer: B
CloudFormation Guard and SNS
upvoted 2 times
...
pupsik
1 year, 1 month ago
Selected Answer: B
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#:~:text=Validate%20templates%20for,non%2Dcompliant%20resources.
upvoted 3 times
...
leoaquinods
1 year, 1 month ago
Selected Answer: A
most operationally efficient
upvoted 1 times
...
KR693
1 year, 1 month ago
Option B. The aws cloudformation validate-template command is designed to check only the syntax of your template. Using Guard, you can write policy rules to validate any JSON- or YAML-formatted structured data against, including but not limited to AWS CloudFormation templates. Guard supports the entire spectrum of end-to-end evaluation of policy checks
upvoted 3 times
...
100fold
1 year, 1 month ago
Answer A. Most operationally efficient
upvoted 1 times
100fold
1 year ago
Answer B. My original selection
upvoted 1 times
...
...
Lunga778
1 year, 1 month ago
answerer is A
upvoted 2 times
...
100fold
1 year, 1 month ago
Selected Answer: B
Answer B. You can use cfn-guard automatically as part of a CI/CD pipeline to stop deployment of non-compliant resources. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html
upvoted 3 times
100fold
1 year, 1 month ago
Changed to answer A
upvoted 1 times
100fold
1 year ago
Original selection B
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...