DevOps Engineer Professional (Page 33)

A company’s application development team uses Linux-based Amazon EC2 instances as bastion hosts.Inbound SSH access to the bastion hosts is restricted to specific IP addresses, as defined in the associated security groups.The company’s security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address.What should a DevOps engineer do to meet this requirement?Read More →

A company requires its internal business teams to launch resources through pre-approved AWS CloudFormation templates only.The security team requires automated monitoring when resources drift from their expected state.Which strategy should be used to meet these requirements?Read More →

A company must encrypt all AMIs that the company shares across accounts.A DevOps engineer has access to a source account where an unencrypted custom AMI has been built.The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI.The DevOps engineer must share the AMI with the target account.The company has created an AWS Key Management Service (AWS KMS) key in the source account.Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)Read More →

A company is launching an application that stores raw data in an Amazon S3 bucket.Three applications need to access the data to generate reports.The data must be redacted differently for each application before the applications can access the data.Which solution will meet these requirements?Read More →

A company manually provisions IAM access for its employees.The company wants to replace the manual process with an automated process.The company has an existing Active Directory system configured with an external SAML 2.0 identity provider (IdP).The company wants employees to use their existing corporate credentials to access AWS.The groups from the existing Active Directory system must be available for permission management in AWS Identity and Access Management (IAM).A DevOps engineer has completed the initial configuration of AWS IAM Identity Center (AWS Single Sign-On) in the company’s AWS account.What should the DevOps engineer do next to meet the requirements?Read More →

A company has a legacy application.A DevOps engineer needs to automate the process of building the deployable artifact for the legacy application.The solution must store the deployable artifact in an existing Amazon S3 bucket for future deployments to reference.Which solution will meet these requirements in the MOST operationally efficient way?Read More →

A global company manages multiple AWS accounts by using AWS Control Tower.The company hosts internal applications and public applications.Each application team in the company has its own AWS account for application hosting.The accounts are consolidated in an organization in AWS Organizations.One of the AWS Control Tower member accounts serves as a centralized DevOps account with CI/CD pipelines that application teams use to deploy applications to their respective target AWS accounts.An IAM role for deployment exists in the centralized DevOps account.An application team is attempting to deploy its application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster in an application AWS account.An IAM role for deployment exists in the application AWS account.The deployment is through an AWS CodeBuild project that is set up in the centralized DevOps account.The CodeBuild project uses an IAM service role for CodeBuild.The deployment is failing with an Unauthorized error during attempts to connect to the cross-account EKS cluster from CodeBuild.Which solution will resolve this error?Read More →

A company has a data ingestion application that runs across multiple AWS accounts.The accounts are in an organization in AWS Organizations.The company needs to monitor the application and consolidate access to the application.Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups.The EC2 instances have no access to the internet because the data is sensitive.Engineers have deployed the necessary VPC endpoints.The EC2 instances run a custom AMI that is built specifically for the application.To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances.This access must be automated and controlled centrally.The company’s security team must receive a notification whenever the instances are accessed.Which solution will meet these requirements?Read More →

A company manages an application that stores logs in Amazon CloudWatch Logs.The company wants to archive the logs to an Amazon S3 bucket.Logs are rarely accessed after 90 days and must be retained for 10 years.Which combination of steps should a DevOps engineer take to meet these requirements? (Choose two.)Read More →

A company is hosting a static website from an Amazon S3 bucket.The website is available to customers at example.com.The company uses an Amazon Route 53 weighted routing policy with a TTL of 1 day.The company has decided to replace the existing static website with a dynamic web application.The dynamic web application uses an Application Load Balancer (ALB) in front of a fleet of Amazon EC2 instances.On the day of production launch to customers, the company creates an additional Route 53 weighted DNS record entry that points to the ALB with a weight of 255 and a TTL of 1 hour.Two days later, a DevOps engineer notices that the previous static website is displayed sometimes when customers navigate to example.com.How can the DevOps engineer ensure that the company serves only dynamic content for example.com?Read More →