Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 220 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02

Question #: 220
Topic #: 1

[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Choose two.)

A. Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.
B. Create an SCP that has a Deny statement for the ec2:* action with a condition of "aws:RequestTag/isolation": false.
C. Attach the SCP to the root of the organization.
D. Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to add a network ACL. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
E. Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.

Show Suggested Answer

Suggested Answer: AE 🗳️

by ogerber at March 27, 2024, 6:17 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

Jay_2pt0_1

Highly Voted 11 months, 2 weeks ago

Selected Answer: AE

What a weirdly worded question. I tend to agree with A & E. We need to isolate an EC2 that has a certain tag.

upvoted 6 times

...

Jordarlu

Most Recent 6 months, 3 weeks ago

Selected Answer: AE

The B + C means no actions allowed on the tagged EC2 for all accounts in Organizations, but the asking was the needs of the isolation(implying the network isolation) on the tagged EC2; hence, A + E is a good option here..

upvoted 2 times

...

[Removed]

8 months, 1 week ago

Selected Answer: AE

vote for AE

upvoted 2 times

...

jamesf

9 months ago

Selected Answer: AE

I go for AE isolating the instance should be mean block traffic

upvoted 3 times

...

trungtd

9 months, 3 weeks ago

Selected Answer: AE

This CloudFormation template creates the necessary resources: An EC2 instance role with no IAM policies, ensuring the instance cannot perform any actions. A security group with no inbound or outbound rules, effectively isolating the instance from all network traffic. A Lambda function that will be triggered by an EventBridge rule when a specific tag is applied to an EC2 instance. This function will attach the isolated security group to the compromised instance, ensuring it is isolated from any network communication. Combining these steps will provide an automated and consistent approach to isolate compromised EC2 instances across all AWS accounts in the organization.

upvoted 4 times

...

xdkonorek2

10 months, 1 week ago

Selected Answer: AE

BD is wrong isolating the instance doesn't mean "don't touch it" with aws actions but to block traffic from and to it

upvoted 3 times

...

seetpt

12 months ago

Selected Answer: BC

BC for me

upvoted 1 times

vn_thanhtung

11 months, 1 week ago

so funny, how to isolate incoming traffic. B,C means deny action with EC2

upvoted 3 times

vn_thanhtung

11 months, 1 week ago

Answer is A, E

upvoted 2 times

...

seetpt

12 months ago

Selected Answer: BC

BC for me

upvoted 1 times

...

dkp

1 year ago

Selected Answer: AE

ill go with AE

upvoted 4 times

...

Ola2234

1 year ago

CE for me. Option D is wrong because we can not use Security Group for an explicit deny rule. Option B is quite misleading with the resourceTagIsolation set to False instead of True.

upvoted 1 times

...

fdoxxx

1 year ago

Selected Answer: BC

in my opinion it could not be AE because we would need a mechanism to apply this template to the right EC2 - I would vote for BC

upvoted 3 times

chinchin97

8 months ago

BC does not automate the isolation of instance. What it does is preventive measure that stops EC2 from perform action, but ultimately, it is still connected. You will need security groups to cut off access to and from the compromised EC2 instance. To have a complete solution, AE automates isolation based on tagging and deploy them to all EC2 instance, BC prevents any action by the EC2 using SCP. For this specific question, it is asking for the automation to isolate the EC2 instance so AE is the correct choice.

upvoted 1 times

...

ogerber

1 year, 1 month ago

Selected Answer: AE

A,E for me

upvoted 4 times

MalonJay

11 months, 3 weeks ago

AE The question says isolate. What does isolate mean? Prevent outgoing and incoming traffic.

upvoted 3 times

...

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 220 discussion

Comments

Jay_2pt0_1

Jordarlu

[Removed]

jamesf

trungtd

xdkonorek2

seetpt

vn_thanhtung

vn_thanhtung

seetpt

dkp

Ola2234

fdoxxx

chinchin97

ogerber

MalonJay

SY0-701