Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam DOP-C02 Topic 3 Question 26 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 26
Topic #: 3
[All DOP-C02 Questions]

A company is reviewing its 1AM policies. One policy written by the DevOps engineer has been (lagged as too permissive. The policy is used by an AWS Lambda function that issues a stop command to Amazon EC2 instances tagged with Environment: NonProduccion over the weekend. The current policy is:

What changes should the engineer make to achieve a policy ot least permission? (Select THREE.)

A.

B.

C.

D.

E.

F.

Show Suggested Answer Hide Answer
Suggested Answer: A, B, D

The engineer should make the following changes to achieve a policy of least permission:

A:Add a condition to ensure that the principal making the request is an AWS Lambda function. This ensures that only Lambda functions can execute this policy.

B:Narrow down the resources by specifying the ARN of EC2 instances instead of allowing all resources. This ensures that the policy only affects EC2 instances.

D:Add a condition to ensure that this policy only applies to EC2 instances tagged with ''Environment: NonProduction''. This ensures that production environments are not affected by this policy.


AWS Identity and Access Management (IAM) - AWS Documentation

Certified DevOps Engineer - Professional (DOP-C02) Study Guide(page 179)

Contribute your Thoughts:

Diane
6 months ago
As an AWS security specialist, I'd recommend A, B, and D. Least privilege is the name of the game, and you don't want those 'NonProduccion' instances going rogue on the weekend!
upvoted 0 times
Catalina
5 months ago
I agree, least privilege is key. Let's make those changes to prevent any issues with the 'NonProduccion' instances.
upvoted 0 times
...
Karol
5 months ago
A, B, and D are definitely the way to go. We need to tighten up those permissions.
upvoted 0 times
...
...
Jeannine
6 months ago
Options A, B, and F look solid to me. Tightening up the resource conditions and reducing the allowed actions will really lock down that policy.
upvoted 0 times
...
Rikki
6 months ago
Haha, I'm gonna go with Options A, C, and E. Gotta keep those EC2 instances on their toes, right? 'NonProduccion' sounds like a party zone to me!
upvoted 0 times
Brandon
5 months ago
Definitely. Keeping things secure is key, even in the 'party zone'.
upvoted 0 times
...
Bambi
5 months ago
Yeah, I agree. NonProduccion does sound like a party zone. Better tighten up those policies.
upvoted 0 times
...
Raina
5 months ago
I think Options A, C, and E are the way to go. Can't have those instances slacking off!
upvoted 0 times
...
...
Micaela
6 months ago
I think Options A, B, and D would be the best choices here. Limiting the resource actions to only what's necessary is key for a least-privilege policy.
upvoted 0 times
Leonard
5 months ago
Options A, B, and D seem to be the most appropriate choices for this policy.
upvoted 0 times
...
Silva
5 months ago
I think Option C should also be considered to further restrict access.
upvoted 0 times
...
Gabriele
6 months ago
I agree, limiting the resource actions is crucial for security.
upvoted 0 times
...
...
Shawn
6 months ago
I believe options A, C, and D could help achieve a policy with least permission.
upvoted 0 times
...
Daron
6 months ago
I agree. The current policy seems too permissive.
upvoted 0 times
...
Maddie
7 months ago
I think the engineer should make changes to the policy.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77