DOP-C01 : AWS DevOps Engineer Professional : Part 26

DOP-C01 : AWS DevOps Engineer Professional : Part 26

DOP-C01 : AWS DevOps Engineer Professional : Part 26

  1. Using the AWS CLI, which command would you use to change the configuration settings for a CloudTrail trail?

    • modify-trail
    • change-trail
    • update-trail
    • set-trail
    Explanation:

    The update-trail command is used to change the configuration settings for a trail. You can only run update-trail command from the region in which the trail was created.

  2. As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an account that is very active can generate a large number of notifications. If you subscribe using email or SMS, you may end up receiving a large volume of messages. Which of the following should you use to handle notifications programmatically?

    • Amazon Kinesis Firehose
    • Amazon Simple Queue Service (Amazon SQS)
    • Amazon Simple Email Service (Amazon SES)
    • Amazon Simple Email Service (Amazon SES)
    Explanation:

    As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an account that’s very active can generate a large number of notifications. If you subscribe using email or SMS, you can end up receiving more messages than you can handle. AWS recommends that you subscribe using Amazon Simple Queue Service (Amazon SQS), which lets you handle notifications programmatically.

  3. Within an IAM policy, can you add an IfExists condition at the end of a Null condition?

    • Yes, you can add an IfExists condition at the end of a Null condition but not in all Regions.
    • Yes, you can add an IfExists condition at the end of a Null condition depending on the condition.
    • No, you cannot add an IfExists condition at the end of a Null condition.
    • Yes, you can add an IfExists condition at the end of a Null condition.
    Explanation:

    Within an IAM policy, IfExists can be added to the end of any condition operator except the Null condition. It can be used to indicate that conditional comparison needs to happen if the policy key is present in the context of a request; otherwise, it can be ignored.

  4. You are hosting multiple environments in multiple regions and would like to use Amazon Inspector for regular security assessments on your AWS resources across all regions. Which statement about Amazon Inspector’s operation across regions is true?

    • Amazon Inspector is a global service that is not region-bound. You can include AWS resources from multiple regions in the same assessment target.
    • Amazon Inspector is hosted within AWS regions behind a public endpoint. All regions are isolated from each other, and the telemetry and findings for all assessments performed within a region remain in that region and are not distributed by the service to other Amazon Inspector locations.
    • Amazon Inspector is hosted in each supported region. Telemetry data and findings are shared across regions to provide complete assessment reports.
    • Amazon Inspector is hosted in each supported region separately. You have to create assessment targets using the same name and tags in each region and Amazon Inspector will run against each assessment target in each region.
    Explanation:

    At this time, Amazon Inspector supports assessment services for EC2 instances in only the following AWS regions:
    US West (Oregon)
    US East (N. Virginia)
    EU (Ireland)
    Asia Pacific (Seoul)
    Asia Pacific (Mumbai)
    Asia Pacific (Tokyo)
    Asia Pacific (Sydney)
    Amazon Inspector is hosted within AWS regions behind a public endpoint. All regions are isolated from each other, and the telemetry and findings for all assessments performed within a region remain in that region and are not distributed by the service to other Amazon Inspector locations.

  5. To override an allow in an IAM policy, you set the Effect element to ______.

    • Block
    • Stop
    • Stop
    • Allow
    Explanation:
    By default, access to resources is denied. To allow access to a resource, you must set the Effect element to Allow. To override an allow (for example, to override an allow that is otherwise in force), you set the Effect element to Deny.

  6. To access the AWS Security Token Service (STS) you can issue calls directly to the AWS STS Query API. This API is a web service interface that accepts ______ requests.

    • PUT
    • HTTPS
    • POST
    • GET
    Explanation:
    The Query API for IAM and AWS STS lets you call service actions. Query API requests are HTTPS requests that must contain an Action parameter to indicate the action to be performed. IAM and AWS STS support GET and POST requests for all actions, that is, the API does not require you to use GET for some actions and POST for others.

  7. A root account has created an IAM group and defined the policy as:

    DOP-C01 AWS DevOps Engineer Professional Part 26 Q07 015
    DOP-C01 AWS DevOps Engineer Professional Part 26 Q07 015

    What will this policy do?

    • Allow this group to view the password policy of all the users added only to that group
    • Allow all the users of IAM to modify their password
    • Allow an IAM user in this group to view the password policy and modify only his/her password
    • Allow this group to view the password policy of all the IAM users
    Explanation:

    This IAM policy grants access to the ChangePassword action, which lets the users use the console, the CLI, or the API to change their passwords. The Resource element uses a policy variable (aws:username), which is useful in policies that are attached to groups. The aws:username key resolves to the name of the current IAM user when a request is made, so that each user is allowed permission to change only his or her own password . This policy will allow all the users of this group to modify the passwords of all the IAM users.

  8. For Amazon Inspector’s integration with CloudTrail, what information is logged for List* and Describe* APIs?

    • None. Amazon Inspector is an automated service and not monitored by CloudTrail.
    • Both request and response information is logged.
    • Only request information is logged.
    • Request information is always logged. Response information is logged only for Completed assessment runs.
    Explanation:

    For the Amazon Inspector integration with CloudTrail, for the List* and Describe* APIs, only the request information is logged.

  9. A user is defining a policy for the IAM user. Which of the below mentioned elements can be found in an IAM policy?

    • Not Effect
    • Supported Data Types
    • Principal Resource
    • Version Management
    Explanation:

    A user can define various elements for an IAM policy. The elements include Version, ID, Statement, Sid, Effect, Principal, Not Principal, Action, Not Action, Resource, Not Resource, Condition, and Supported Data Types.

  10. Which statement is true about configuring proxy support for Amazon Inspector agent on Linuxbased systems?

    • Amazon Inspector proxy support on Linux-based systems is achieved through installing proxyenabled version of the agent which comes with pre-configured files that you need to edit to match your environment.
    • Amazon Inspector agent does NOT support the use of proxy on Linux-based systems.
    • Amazon Inspector proxy configuration on Linux-based system is included in awsagent.env file under /etc/init.d/
    • Amazon Inspector agent proxy settings on Linux-based systems are configured through WinHTTP proxy.
    Explanation:

    To install an AWS agent on an EC2 instance that uses a proxy server Create a file called awsagent.env and save it in the /etc/init.d/ directory. Edit awsagent.env to include these environment variables in the following format:
    export https_proxy=https://hostname:port
    export http_proxy=http://hostname:port
    export no_proxy= 123.456.789.111

  11. Some of your EC2 instances are configured to use a Proxy. Can you use Amazon Inspector for regular assessment of instances behind proxy?

    • Only Windows-based systems are supported as Linux-based systems use custom configurations that are not supported by AWS Agent in the current release.
    • Only Linux-based systems are supported, and AWS agent supports HTTPS proxy on these systems.
    • No, AWS Agent does NOT support proxy environments.
    • Yes, AWS Agent supports proxy environments on both Linux-based and Windows-based systems.
    Explanation:

    The AWS agent supports proxy environments. For Linux instances, Inspector supports HTTPS Proxy, and for Windows instances, it supports WinHTTP proxy.

  12. Amazon Inspector agent collects telemetry data during assessment run and sends this data to Amazon Inspector dedicated S3 bucket for analysis. How can you access telemetry data out of Amazon Inspector and how can you benefit from this data in securing your resources?

    • Telemetry data is kept in S3 and encrypted with a pre-assessment test key configured in KMS, as long as you have access to that key you can download and decrypt telemetry data.
    • Telemetry data is stored in Amazon Inspector dedicated S3 bucket that does NOT belong to your account, Amazon Inspector currently does NOT provide an API or an S3 bucket access mechanism to collected telemetry. Data is retained temporarily only to allow for assistance with support requests.
    • Telemetry data is saved on S3 bucket in your account, therefore telemetry data is accessible with proper permissions on that bucket.
    • Telemetry data is deleted immediately after assessment run, therefore data can NOT be accessed or analyzed by any other tools.
    Explanation:

    The telemetry data stored in S3 is retained only to allow for assistance with support requests and is not used or aggregated by Amazon for any other purpose. After 30 days, telemetry data is permanently deleted per a standard Amazon Inspector-dedicated S3 bucket lifecycle policy. At present, Amazon Inspector does not provide an API or an S3 bucket access mechanism to collected telemetry.

  13. A root owner is trying to create an IAM user of the various departments. The owner has created groups for each department, but wants to still delineate the user based on the sub division level. E.g. The two users from different sub departments should be identified separately and have separate permissions. How can the root owner configure this?

    • Create a hierarchy of the IAM users which are separated based on the department
    • Create a nested group
    • Use the paths to separate the users of the same group
    • It is not possible to delineate within a group
    Explanation: The path functionality within an IAM group and user allows them to delineate by further levels. In this case the user needs to use the path with each user or group so that the ARN of the user will look similar to:

    arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user1
    arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user2

  14. A user is defining a policy for an IAM user. Which of the below mentioned options is a valid version defined for the policy?

    • “Version”:”2014-01-01″
    • “Version”:”2011-10-17″
    • “Version”:”2013-10-17″
    • “Version”:”2012-10-17″
    Explanation:

    When defining an IAM Policy, the version element specifies the policy language version. Only the following values are allowed:
    2012-10-17. This is the current version of the policy language, and the user should use this version number for all the policies.
    2008-10-17. This was an earlier version of the policy language. The user might see this version on the existing policies. Do not use this version for any new policies or any existing policies that are being updated.
    If a version element is not included, the value defaults to 2008-10-17.

  15. Which command will start an assessment run?

    • aws inspector start-assessment-run –assessment-template-arn<template-arn>
    • aws inspector start-assessment-run –assessment-run-name examplerun –assessment-target<target-arn>
    • aws inspector start-assessment-run –assessment-run-name examplerun
    • aws inspector start-assessment-run –assessment-run-name examplerun –assessment-duration<duration-in-seconds>
    Explanation:

    start-assessment-run command requires –assessment-template-arn, other parameters are optional
    start-assessment-run
    –assessment-template-arn <value>
    [–assessment-run-name <value>]
    [–cli-input-json <value>]
    [–generate-cli-skeleton <value>]

  16. Which statement is true about configuring proxy support for Amazon Inspector agent on a Windows-based system?

    • Amazon Inspector agent supports proxy usage on Windows-based systems through the use of the WinHTTP proxy.
    • Amazon Inspector agent supports proxy usage on Linux-based systems but not on Windows.
    • Amazon Inspector proxy support on Windows-based systems is achieved through installing proxy-enabled version of the agent which comes with preconfigured files that you need to edit to match your environment.
    • Amazon Inspector agent supports proxy usage on Windows-based systems through awsagent.env configuration file.
    Explanation:

    Proxy support for AWS agents is achieved through the use of the WinHTTP proxy.

  17. What is the default maximum number of Roles per AWS account?

    • 500
    • 250
    • 100
    • There is no limit.
    Explanation:

    The default maximum number of Roles per AWS account is 250.

  18. You have an application which consists of EC2 instances in an Auto Scaling group. Between a particular time frame every day, there is an increase in traffic to your website. Hence users are complaining of a poor response time on the application. You have configured your Auto Scaling group to deploy one new EC2 instance when CPU utilization is greater than 60% for 2 consecutive periods of 5 minutes.

    What is the least cost-effective way to resolve this problem?

    • Decrease the consecutive number of collection periods
    • Increase the minimum number of instances in the Auto Scaling group
    • Decrease the collection period to ten minutes
    • Decrease the threshold CPU utilization percentage at which to deploy a new instance
    Explanation:

    If you increase the minimum number of instances, then they will be running even though the load is not high on the website. Hence you are incurring cost even though there is no need. All of the remaining options are possible options which can be used to increase the number of instances on a high load. For more information on On-demand scaling, please refer to the below link.

  19. You have decided that you need to change the instance type of your production instances which are running as part of an AutoScaling group. The entire architecture is deployed using CloudFormation Template. You currently have 4 instances in Production. You cannot have any interruption in service and need to ensure 2 instances are always runningduring the update. Which of the options below listed can be used for this?

    • AutoScalingRollingUpdate
    • AutoScalingScheduledAction
    • AutoScalingReplacingUpdate
    • AutoScalinglntegrationUpdate
    Explanation:

    The AWS::AutoScaling::AutoScalingGroup resource supports an UpdatePoIicy attribute. This is used to define how an Auto Scalinggroup resource is updated when an update to the Cloud Formation stack occurs. A common approach to updating an Auto Scaling group is to perform a rolling update, which is done by specifying the AutoScalingRollingUpdate policy. This retains the same Auto Scaling group and replaces old instances with new ones, according to the parameters specified. For more information on Autoscaling updates, please refer to the below link.

  20. You currently have the following setup in AWS:

    1) An Elastic Load Balancer
    2) Auto Scaling Group which launches EC2 Instances
    3) AMIs with your code pre-installed You want to deploy the updates of your app to only a certain number of users. You want to have a cost-effective solution. You should also be able to revert back quickly.

    Which of the below solutions is the most feasible one?

    • Create a second ELB, and a new Auto Scaling Group assigned a new Launch Configuration. Create a new AMI with the updated app. Use Route53 Weighted Round Robin records to adjust the proportion of traffic hitting the two ELBs.
    • Create new AMIs with the new app. Then use the new EC2 instances in half proportion to the older instances.
    • Redeploy with AWS Elastic Beanstalk and Elastic Beanstalk versions. Use Route 53 Weighted Round Robin records to adjust the proportion of traffic hitting the two ELBs
    • Create a full second stack of instances, cut the DNS over to the new stack of instances, and change the DNS back if a rollback is needed.
    Explanation:

    The Weighted Routing policy of Route53 can be used to direct a proportion of traffic to your application. The best option is to create a second CLB, attach the new Autoscaling Group and then use Route53 to divert the traffic. Option B is wrong because just having EC2 instances running with the new code will not help. Option C is wrong because Clastic beanstalk is good for development environments, and also there is no mention of having 2 environments where environment urls can be swapped. Option D is wrong because you still need Route53 to split the traffic.