Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam DOP-C02 Topic 9 Question 21 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 21
Topic #: 9
[All DOP-C02 Questions]

A company is reviewing its 1AM policies. One policy written by the DevOps engineer has been (lagged as too permissive. The policy is used by an AWS Lambda function that issues a stop command to Amazon EC2 instances tagged with Environment: NonProduccion over the weekend. The current policy is:

What changes should the engineer make to achieve a policy ot least permission? (Select THREE.)

A.

B.

C.

D.

E.

F.

Show Suggested Answer Hide Answer
Suggested Answer: A, B, D

The engineer should make the following changes to achieve a policy of least permission:

A:Add a condition to ensure that the principal making the request is an AWS Lambda function. This ensures that only Lambda functions can execute this policy.

B:Narrow down the resources by specifying the ARN of EC2 instances instead of allowing all resources. This ensures that the policy only affects EC2 instances.

D:Add a condition to ensure that this policy only applies to EC2 instances tagged with ''Environment: NonProduction''. This ensures that production environments are not affected by this policy.


AWS Identity and Access Management (IAM) - AWS Documentation

Certified DevOps Engineer - Professional (DOP-C02) Study Guide(page 179)

by Alease at Apr 12, 2024, 08:02 PM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Viva
6 months ago
Exactly, we need to limit the actions the Lambda function can perform.
upvoted 0 times
...
Roslyn
6 months ago
Yes, that would restrict access and make it more secure.
upvoted 0 times
...
Major
6 months ago
I think adding conditions to the policy would definitely help.
upvoted 0 times
...
Viva
6 months ago
I believe options A, C, and D could help achieve a least privilege policy.
upvoted 0 times
...
Roslyn
6 months ago
I agree, we need to make it more secure.
upvoted 0 times
...
Major
7 months ago
I think the current policy is too permissive.
upvoted 0 times
...
Antonio
7 months ago
Yes, limiting the action to only what is necessary is a best practice in security policies.
upvoted 0 times
...
Shoshana
7 months ago
I also believe changing the Action from 'ec2:StopInstances' to 'ec2:StopInstances' would be a good move.
upvoted 0 times
...
Denae
7 months ago
I agree, that would definitely reduce the permissions and make it more secure.
upvoted 0 times
...
Antonio
7 months ago
I think the engineer should remove the unnecessary resource star in the resource section.
upvoted 0 times
...
Pamella
8 months ago
Haha, imagine if the policy was even more permissive - like 'Stop all instances, even the production ones!' That would be a real disaster waiting to happen. But yeah, B, D, and F sound like a good way to go here.
upvoted 0 times
...
Amie
8 months ago
Alright, let's do this! I'm feeling good about A, C, and E. Gotta keep those permissions locked down tight, you know?
upvoted 0 times
...
Arthur
8 months ago
Yeah, this is a tricky one. We need to find the right balance between security and functionality. I'm leaning towards B, D, and E - that should give us the least permissive policy while still allowing the necessary actions.
upvoted 0 times
...
Willard
8 months ago
I agree, this policy is way too open. Restricting the actions to only the necessary ones makes a lot of sense. I'd also add option C to the mix - we don't want to accidentally stop any production instances.
upvoted 0 times
...
Carey
8 months ago
Haha, yeah these IAM policy questions can be like a puzzle. I'm going with A, B, and D - seems like the most restrictive approach.
upvoted 0 times
Frankie
7 months ago
F: So, A, C, and D could be the best combination then.
upvoted 0 times
...
Dustin
8 months ago
E: I agree, C might provide additional security measures.
upvoted 0 times
...
Owen
8 months ago
D: Maybe C could be useful too, along with A and D.
upvoted 0 times
...
Cassi
8 months ago
C: Yeah, A and D seem necessary for tightening the policy.
upvoted 0 times
...
Shaunna
8 months ago
B: I'm not sure about B, but A and D are definitely important.
upvoted 0 times
...
Helaine
8 months ago
A: I think A, B, and D is a good choice.
upvoted 0 times
...
...
Lyla
8 months ago
Ooh, this is a good one. I'm leaning towards A, B, and F. Gotta love these IAM policy questions, they really make you think!
upvoted 0 times
...
Ronald
8 months ago
Hmm, this policy seems pretty permissive. We definitely need to tighten it up to achieve least privilege. I'm thinking we should go with options B, D, and F.
upvoted 0 times
...
Zena
8 months ago
Hmm, let me take a closer look at the options. I think A, B, and E are the best choices here to achieve least permission.
upvoted 0 times
Grover
7 months ago
I agree, those options seem to be the best for achieving least permission.
upvoted 0 times
...
Aretha
7 months ago
I think we should choose options A, B, and E.
upvoted 0 times
...
...
Lashaunda
8 months ago
I agree, the current policy is way too permissive. We need to really lock it down and only allow the bare minimum required permissions.
upvoted 0 times
...
Luz
8 months ago
This is a tricky question, but I think the key is to minimize the permissions as much as possible. The current policy seems quite broad, so we'll need to tighten it up.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77