Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam DOP-C02 Topic 6 Question 36 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 36
Topic #: 6
[All DOP-C02 Questions]

A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: A, E

This corresponds to Option A: Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.

* Step 2: Isolate EC2 Instances using Lambda and Security Groups When an EC2 instance is compromised, it needs to be isolated from the network. This can be done by creating a security group with no inbound or outbound rules and attaching it to the instance. A Lambda function can handle this process and can be triggered automatically by an Amazon EventBridge rule when a specific tag (e.g., 'isolation') is applied to the compromised instance.

Action: Create a Lambda function that attaches an isolated security group (with no inbound or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to trigger the Lambda function when the 'isolation' tag is applied to the instance.

Why: This automates the isolation process, ensuring that any compromised instances are immediately cut off from the network, reducing the potential damage from the compromise.

This corresponds to Option E: Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.

Contribute your Thoughts:

Izetta
2 months ago
Haha, an 'explicit Deny' rule on all traffic? That's like locking yourself in a room and throwing away the key.
upvoted 0 times
...
Jeniffer
2 months ago
I'm glad they're using an SCP to restrict access. It's like having a bouncer at the door, keeping the bad guys out.
upvoted 0 times
Stephaine
26 days ago
Hyman: Exactly, keeping the bad guys out.
upvoted 0 times
...
Hyman
1 months ago
User 2: Yes, they act like a bouncer for your AWS accounts.
upvoted 0 times
...
Sommer
1 months ago
SCPs are great for security!
upvoted 0 times
...
...
Carolynn
2 months ago
Isolating compromised EC2 instances? That's like putting a band-aid on a bullet wound, but at least it's better than nothing.
upvoted 0 times
Blair
1 months ago
A: Isolating compromised EC2 instances may not be perfect, but it's a step in the right direction for security measures.
upvoted 0 times
...
Mozell
2 months ago
B: E) Create an AWS Cloud Formation template that creates an EC2 instance role that has no 1AM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
upvoted 0 times
...
Milly
2 months ago
A: B) Create an SCP that has a Deny statement for the ec2:\' action with a condition of \'aws:RequestTag/isolation\': false.
upvoted 0 times
...
...
Maile
2 months ago
But we also need to create an SCP with a Deny statement for the ec2 action to isolate compromised instances.
upvoted 0 times
...
Fredric
2 months ago
I agree. It will help automate the process across all AWS accounts.
upvoted 0 times
...
Krissy
2 months ago
I think we should use AWS Cloud Formation StackSets to deploy the necessary resources.
upvoted 0 times
...
Mila
3 months ago
Woah, this question is like a maze of AWS services! I hope I don't get lost in the CloudFormation and StackSets.
upvoted 0 times
Krissy
2 months ago
A: I think using CloudFormation StackSets to deploy resources across all accounts is key here.
upvoted 0 times
...
Hector
2 months ago
B: I know, it's like a puzzle trying to figure out the right combination of steps.
upvoted 0 times
...
Diane
2 months ago
A: Yeah, this question is definitely testing our knowledge of AWS services.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77