New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon DOP-C02 Exam - Topic 6 Question 36 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 36
Topic #: 6
[All DOP-C02 Questions]

A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: A, E

This corresponds to Option A: Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.

* Step 2: Isolate EC2 Instances using Lambda and Security Groups When an EC2 instance is compromised, it needs to be isolated from the network. This can be done by creating a security group with no inbound or outbound rules and attaching it to the instance. A Lambda function can handle this process and can be triggered automatically by an Amazon EventBridge rule when a specific tag (e.g., 'isolation') is applied to the compromised instance.

Action: Create a Lambda function that attaches an isolated security group (with no inbound or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to trigger the Lambda function when the 'isolation' tag is applied to the instance.

Why: This automates the isolation process, ensuring that any compromised instances are immediately cut off from the network, reducing the potential damage from the compromise.

This corresponds to Option E: Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.

by Moon at Sep 14, 2024, 02:38 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Maryanne
3 months ago
Wait, can Lambda really handle all that? Sounds risky!
upvoted 0 times
...
Queen
3 months ago
Agreed, E looks like a solid approach too!
upvoted 0 times
...
Rochell
3 months ago
Not sure about D, seems overly complicated.
upvoted 0 times
...
Tanesha
4 months ago
I think option B is crucial for security!
upvoted 0 times
...
Orville
4 months ago
Definitely need StackSets for multi-account management!
upvoted 0 times
...
Jimmie
4 months ago
The Lambda function part is a bit confusing for me. I wonder if the security group needs to have explicit Deny rules or if just having no inbound/outbound rules would suffice.
upvoted 0 times
...
Beatriz
4 months ago
I feel like I’ve seen a similar question before, and I think attaching the SCP to the root might be necessary for it to apply to all accounts.
upvoted 0 times
...
Giovanna
4 months ago
I'm not entirely sure, but I think using an SCP with a Deny statement could help isolate those EC2 instances when they get tagged.
upvoted 0 times
...
Tommy
5 months ago
I remember studying about AWS CloudFormation StackSets, and they seem like a good choice for deploying resources across multiple accounts.
upvoted 0 times
...
Harris
5 months ago
This is right up my alley! I've worked with CloudFormation StackSets and SCPs before, so I'm confident I can put together a solid solution for this. Time to get to work and nail this exam question.
upvoted 0 times
...
Long
5 months ago
Okay, let's see here. We need an automated process to isolate compromised EC2 instances across multiple AWS accounts. The key seems to be using CloudFormation StackSets and SCPs to deploy the solution consistently. I think I've got a handle on this.
upvoted 0 times
...
Stephaine
5 months ago
This looks like a straightforward question, but I want to make sure I understand the requirements correctly. I'll need to review the details carefully and think through the steps.
upvoted 0 times
...
Carmen
5 months ago
Hmm, this is a tricky one. Isolating compromised instances requires a multi-faceted approach. I'll need to really analyze the options and make sure I select the right combination of steps to meet the requirements.
upvoted 0 times
...
Mammie
5 months ago
I'm a bit confused about the difference between indexes, IOTs, and regular tables when it comes to shrinking. Gotta review that.
upvoted 0 times
...
Izetta
1 year ago
Haha, an 'explicit Deny' rule on all traffic? That's like locking yourself in a room and throwing away the key.
upvoted 0 times
...
Jeniffer
1 year ago
I'm glad they're using an SCP to restrict access. It's like having a bouncer at the door, keeping the bad guys out.
upvoted 0 times
Stephaine
1 year ago
Hyman: Exactly, keeping the bad guys out.
upvoted 0 times
...
Hyman
1 year ago
User 2: Yes, they act like a bouncer for your AWS accounts.
upvoted 0 times
...
Sommer
1 year ago
SCPs are great for security!
upvoted 0 times
...
...
Carolynn
1 year ago
Isolating compromised EC2 instances? That's like putting a band-aid on a bullet wound, but at least it's better than nothing.
upvoted 0 times
Blair
1 year ago
A: Isolating compromised EC2 instances may not be perfect, but it's a step in the right direction for security measures.
upvoted 0 times
...
Mozell
1 year ago
B: E) Create an AWS Cloud Formation template that creates an EC2 instance role that has no 1AM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.
upvoted 0 times
...
Milly
1 year ago
A: B) Create an SCP that has a Deny statement for the ec2:\' action with a condition of \'aws:RequestTag/isolation\': false.
upvoted 0 times
...
...
Maile
1 year ago
But we also need to create an SCP with a Deny statement for the ec2 action to isolate compromised instances.
upvoted 0 times
...
Fredric
1 year ago
I agree. It will help automate the process across all AWS accounts.
upvoted 0 times
...
Krissy
1 year ago
I think we should use AWS Cloud Formation StackSets to deploy the necessary resources.
upvoted 0 times
...
Mila
1 year ago
Woah, this question is like a maze of AWS services! I hope I don't get lost in the CloudFormation and StackSets.
upvoted 0 times
Krissy
1 year ago
A: I think using CloudFormation StackSets to deploy resources across all accounts is key here.
upvoted 0 times
...
Hector
1 year ago
B: I know, it's like a puzzle trying to figure out the right combination of steps.
upvoted 0 times
...
Diane
1 year ago
A: Yeah, this question is definitely testing our knowledge of AWS services.
upvoted 0 times
...
...

Save Cancel