New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon DOP-C02 Exam - Topic 6 Question 22 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 22
Topic #: 6
[All DOP-C02 Questions]

A security team is concerned that a developer can unintentionally attach an Elastic IP address to an Amazon EC2 instance in production. No developer should be allowed to attach an Elastic IP address to an instance. The security team must be notified if any production server has an Elastic IP address at any time

How can this task be automated'?

Show Suggested Answer Hide Answer
Suggested Answer: B

To prevent developers from unintentionally attaching an Elastic IP address to an Amazon EC2 instance in production, the best approach is to use IAM policies and AWS Config rules. By attaching an IAM policy that denies theassociate-addresspermission to the developers' IAM group, you ensure that developers cannot perform this action. Additionally, creating a custom AWS Config rule to check for Elastic IP addresses associated with instances tagged as production provides ongoing monitoring. If the rule detects an Elastic IP address, it can trigger an alert to notify the security team.This method is proactive and enforces the necessary permissions while also providing a mechanism for detection and notification.Reference: from Amazon DevOps sources


by Chauncey at Apr 21, 2024, 11:51 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lorrie
3 months ago
A sounds cool, but I’m not sure about using Athena for this.
upvoted 0 times
...
Gayla
3 months ago
D is solid, but I think it might be overkill.
upvoted 0 times
...
Shawna
3 months ago
Wait, can developers really attach Elastic IPs by accident?
upvoted 0 times
...
Irma
4 months ago
I disagree, C is better because of the scheduled checks.
upvoted 0 times
...
Fletcher
4 months ago
B seems like the most straightforward solution.
upvoted 0 times
...
Lucia
4 months ago
I’m leaning towards option B because it combines IAM policies with AWS Config, which seems like a solid way to ensure compliance.
upvoted 0 times
...
Caprice
4 months ago
I feel like the Lambda function approach could work, but I wonder if it’s the most efficient way to handle this situation.
upvoted 0 times
...
Cecil
4 months ago
I think using AWS Config rules sounds familiar, especially for monitoring resources. I practiced a question like this, but I can't recall the exact steps.
upvoted 0 times
...
Deane
5 months ago
I remember studying IAM policies and how they can restrict permissions, but I'm not sure if just denying associate-address permissions is enough.
upvoted 0 times
...
Francene
5 months ago
Hmm, I'm a bit confused on the best way to approach this. Should we be using CloudTrail logs, AWS Config rules, or a combination of both? I'm not sure which option would be the most effective and efficient way to monitor and remediate the issue. Maybe I should review the exam question again and see if I'm missing any key details.
upvoted 0 times
...
Dulce
5 months ago
Okay, I think I've got a good strategy for this. First, I'd create an IAM policy to deny the associate-address permission for all developer roles. Then, I'd set up an AWS Config rule to continuously check for any Elastic IPs attached to production instances and trigger a Lambda function to automatically detach the IP and notify the security team. Seems like a solid plan!
upvoted 0 times
...
Stephaine
5 months ago
This seems like a straightforward security task. I'd start by looking at the IAM permissions for the developers and ensuring they don't have the ability to associate Elastic IPs. Then I'd set up an AWS Config rule to monitor for any Elastic IPs attached to production instances and alert the security team.
upvoted 0 times
...
Shonda
5 months ago
Hmm, this is a tricky one. I'm not sure if just denying the associate-address permission for developers is enough, as they could potentially find other ways to attach an Elastic IP. I think the best approach would be to use a combination of IAM policies, AWS Config rules, and Lambda functions to monitor and remediate any issues.
upvoted 0 times
...
Delmy
5 months ago
This seems like a pretty straightforward question. I'd go with option C - using a Token Vending Machine to get temporary credentials and serving the app from autoscaled EC2 instances. That way, the client can interact with DynamoDB without needing to manage credentials, and the infrastructure will scale as needed.
upvoted 0 times
...
Barrett
5 months ago
Hmm, I'm a bit unsure about this one. I'll need to review the benefits management plan to make sure the program is still valid and on track.
upvoted 0 times
...
Lavonda
5 months ago
Okay, I've got a strategy - I'll focus on the key differences between on-prem and cloud deployments, like performance and availability constraints. That should help me narrow it down.
upvoted 0 times
...
Ashton
2 years ago
That's a valid point, Option C does offer a proactive approach to prevent unauthorized attachment of Elastic IP addresses
upvoted 0 times
...
Nathalie
2 years ago
I prefer option C. It ensures that developer 1AM groups do not have associate-address permissions and includes a scheduled Lambda function for checking
upvoted 0 times
...
Lashawnda
2 years ago
I agree with Using CloudTrail logs to monitor and Lambda function to disassociate the Elastic IP address seems efficient
upvoted 0 times
...
Ashton
2 years ago
I think option A is the best approach as it involves using CloudTrail logs and Lambda function to automate the task
upvoted 0 times
...
Maricela
2 years ago
We can create a custom rule in AWS Config to monitor for that and alert the security team.
upvoted 0 times
...
Cordie
2 years ago
What about checking if an IP address is associated with a production instance?
upvoted 0 times
...
Maricela
2 years ago
We could attach an 1AM policy to the developers' group to prevent them from attaching IP addresses.
upvoted 0 times
...
Cordie
2 years ago
That sounds good. What about using 1AM policies to deny associate-address permissions?
upvoted 0 times
...
Maricela
2 years ago
We can use Amazon Athena to query CloudTrail logs and create a Lambda function to disassociate the IP address.
upvoted 0 times
Dick
2 years ago
D) Create an AWS Config rule to check that all production instances have EC2 1AM roles that include deny associate-address permissions Verify whether there is an Elastic IP address associated with any instance, and alert the security team if an instance has an Elastic IP address associated with it.
upvoted 0 times
...
Sommer
2 years ago
C) Ensure that all 1AM groups associated with developers do not have associate-address permissions. Create a scheduled AWS Lambda function to check whether an Elastic IP address is associated with any instance tagged as production, and alert the secunty team if an instance has an Elastic IP address associated with it.
upvoted 0 times
...
Natalya
2 years ago
B) Attach an 1AM policy to the developers' 1AM group to deny associate-address permissions Create a custom AWS Config rule to check whether an Elastic IP address is associated with any instance tagged as production, and alert the security team.
upvoted 0 times
...
Stanford
2 years ago
A) Use Amazon Athena to query AWS CloudTrail logs to check for any associate-address attempts Create an AWS Lambda function to disassociate the Elastic IP address from the instance, and alert the security team.
upvoted 0 times
...
...
Cordie
2 years ago
How can we automate the task of preventing developers from attaching Elastic IP addresses to production instances?
upvoted 0 times
...

Save Cancel