AWS-Certified-DevOps-Engineer-Professional Free Practice Test

According to Information Security Policy, changes to the contents of objects inside production Amazon S3 bucket that contain encrypted secrets should only be made by a trusted group of administrators.
How should a DevOps Engineer create real-time, automated checks to meet this requirement?

1. A. Create an AWS Lambda function that is triggered by Amazon S3 data events for object changes and that also checks the IAM user's membership in an administrator's IAM role.
2. B. Create a periodic AWS Config rule to query Amazon S3 Logs for changes and to check the IAM user's membership in an administrator's IAM role.
3. C. Create a metrics filter for Amazon CloudWatch logs to check for Amazon S3 bucket-level permission changes and to check the IAM user's membership in an administrator's IAM role.
4. D. Create a periodic AWS Config rule to query AWS CloudTrail logs for changes to the Amazon S3 bucket-level permissions and to check the IAM user's membership in an administrator's IAM role.

Correct Answer: A

A highly regulated company has a policy that DevOps Engineers should not log in to their Amazon EC2 instances except in emergencies. If a DevOps Engineer does log in, the Security team must be notified within 15 minutes of the occurrence.
Which solution will meet these requirements?

1. A. Install the Amazon Inspector agent on each EC2 instanc
2. B. Subscribe to Amazon CloudWatch Events notification
3. C. Trigger an AWS Lambda function to check if a message is about user login
4. D. If it is, send a notification to the Security team using Amazon SNS.
5. E. Install the Amazon CloudWatch agent on each EC2 instanc
6. F. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user login
7. G. If a login is found, send a notification to the Security team using Amazon SNS.
8. H. Set up AWS CloudTrail with Amazon CloudWatch Log
9. I. Subscribe CloudWatch Logs to Amazon Kinesi
10. J. Attach AWS Lambda to Kinesis to parse and determine if a log contains a user logi
11. K. If it does, send a notification to the Security team using Amazon SNS.
12. L. Set up a script on each Amazon EC2 instance to push all logs to Amazon S3. Set up an S3 event to trigger an AWS Lambda function, which triggers an Amazon Athena query to ru
13. M. The Athena query checks for logins and sends the output to the Security team using Amazon SNS.

Correct Answer: B

An application is running on Amazon EC2. It has an attached IAM role that is receiving an AccessDenied error while trying to access a SecureString parameter resource in the AWS Systems Manager Parameter Store. The SecureString parameter is encrypted with a customer-managed Customer Master Key (CMK),
What steps should the DevOps Engineer take to grant access to the role while granting least privilege? (Select three.)

1. A. Set ssm:GetParamter for the parameter resource in the instance role's IAM policy.
2. B. Set kms:Decrypt for the instance role in the customer-managed CMK policy.
3. C. Set kms:Decrypt for the customer-managed CMK resource in the role's IAM policy.
4. D. Set ssm:DecryptParameter for the parameter resource in the instance role IAM policy.
5. E. Set kms:GenerateDataKey for the user on the AWS managed SSM KMS key.
6. F. Set kms:Decrypt for the parameter resource in the customer-managed CMK policy.

Correct Answer: ABC

A social networking service runs a web API that allows its partners to search public posts. Post data is stored in Amazon DynamoDB and indexed by AWS Lambda functions, with an Amazon ES domain storing the indexes and providing search functionality to the application.
The service needs to maintain full capacity during deployments and ensure that failed deployments do not cause downtime or reduced capacity, or prevent subsequent deployments.
How can these requirements be met? (Select TWO )

1. A. Run the web application in AWS Elastic Beanstalk with the deployment policy set to All at Once.Deploy the Lambda functions, DynamoDB tables, and Amazon ES domain with an AWS CloudFormation template.
2. B. Deploy the web application, Lambda functions, DynamoDB tables, and Amazon ES domain in an AWS CloudFormation templat
3. C. Deploy changes with an AWS CodeDeploy in-place deployment.
4. D. Run the web application in AWS Elastic Beanstalk with the deployment policy set to Immutable.Deploy the Lambda functions, DynamoDB tables, and Amazon ES domain with an AWS CloudFormation template.
5. E. Deploy the web application, Lambda functions, DynamoDB tables, and Amazon ES domain in an AWS CloudFormation templat
6. F. Deploy changes with an AWS CodeDeploy blue/green deployment.
7. G. Run the web application in AWS Elastic Beanstalk with the deployment policy set to Rollin
8. H. Deploy the Lambda functions, DynamoDB tables, and Amazon ES domain with an AWS CloudFormation template.

Correct Answer: CD
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.rolling-version-deploy.html

A company is implementing an Amazon ECS cluster to run its workload. The company architecture will run multiple ECS services on the cluster, with an Application Load Balancer on the front end, using multiple target groups to route traffic. The Application Development team has been struggling to collect logs that must be collected and sent to an Amazon S3 bucket for near-real time analysis
What must the DevOps Engineer configure in the deployment to meet these requirements? (Select THREE)

1. A. Install the Amazon CloudWatch Logs logging agent on the ECS instance
2. B. Change the logging driver in the ECS task definition to 'awslogs'.
3. C. Download the Amazon CloudWatch Logs container instance from AWS and configure it as a task.Update the application service definitions to include the logging task.
4. D. Use Amazon CloudWatch Events to schedule an AWS Lambda function that will run every 60 seconds running the create-export -task CloudWatch Logs command, then point the output to the logging S3 bucket.
5. E. Enable access logging on the Application Load Balancer, then point it directly to the S3 logging bucket.
6. F. Enable access logging on the target groups that are used by the ECS services, then point it directly to the S3 logging bucket.
7. G. Create an Amazon Kinesis Data Firehose with a destination of the S3 logging bucket, then create an Amazon CloudWatch Logs subscription filter for Kinesis

Correct Answer: BDF