ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 153 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 153
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A security team is concerned that a developer can unintentionally attach an Elastic IP address to an Amazon EC2 instance in production. No developer should be allowed to attach an Elastic IP address to an instance. The security team must be notified if any production server has an Elastic IP address at any time.

How can this task be automated?

  • A. Use Amazon Athena to query AWS CloudTrail logs to check for any associate-address attempts. Create an AWS Lambda function to disassociate the Elastic IP address from the instance, and alert the security team.
  • B. Attach an IAM policy to the developers' IAM group to deny associate-address permissions. Create a custom AWS Config rule to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team.
  • C. Ensure that all IAM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team if an instance has an Elastic IP address associated with it.
  • D. Create an AWS Config rule to check that all production instances have EC2 IAM roles that include deny associate-address permissions. Verify whether there is an Elastic IP address associated with any instance, and alert the security team if an instance has an Elastic IP address associated with it.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by PrasannaBalaji at Dec. 29, 2023, 1:05 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
thanhnv142
Highly Voted 1 year, 2 months ago
Selected Answer: B
B is correct: < Attach an IAM policy to the developers' IAM group to deny associate-address permissions>: means we can deny all address-assosiate attempts A: AWS CloudTrail logs is used for monitoring users' actions. Though it would reveal associate-address attempts, it would not trigger AWS lambda to disassosiate the IPs C: <Ensure that all IAM groups associated with developers do not have associate-address permissions>: This is unnecessary and can be done more easily with option B. D: <check that all production instances have EC2 IAM roles>: We dont need to check the role of the EC2, we need to handle the role of developers. Summary: D is irrelevant while A and C, though can achive the requirements, consume more efforts and resources.
upvoted 7 times
...
zijo
Most Recent 3 months, 3 weeks ago
Selected Answer: B
AWS Config provides the eip-attached managed rule to evaluate whether all allocated Elastic IPs are associated with a resource.
upvoted 1 times
...
Gomer
10 months ago
For what it's worth: { "Statement": [ { "Action": [ "ec2:AssociateAddress", "ec2:DisassociateAddress" ], "Effect": "Deny", "Resource": "*" } ] }
upvoted 2 times
...
dkp
1 year ago
Selected Answer: B
answer B
upvoted 3 times
...
a54b16f
1 year, 3 months ago
Selected Answer: B
so easy, almost copy/paste from the two requirements listed inside the question
upvoted 3 times
...
csG13
1 year, 3 months ago
Selected Answer: B
It's B, the only who meets the question criteria.
upvoted 4 times
...
PrasannaBalaji
1 year, 3 months ago
Selected Answer: B
B is correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago