AWS-Certified-DevOps-Engineer-Professional Free Practice Test

A DevOps Engineer has been asked by the Security team to ensure that AWS CloudTrail files are not tampered with after being created. Currently, there is a process with multiple trails, using AWS IAM to restrict access to specific trails. The Security team wants to ensure they can trace the integrity of each file and make sure there has been no tampering.
Which option will require the LEAST effort to implement and ensure the legitimacy of the file while allowing the Security team to prove the authenticity of the logs?

1. A. Create an Amazon CloudWatch Events rule that triggers an AWS Lambda function when a new file is delivere
2. B. Configure the Lambda function to perform an MD5 hash check on the file, store the name and location of the file, and post the returned hash to an Amazon DynamoDB tabl
3. C. The Security team can use the values stored in DynamoDB to verify the file authenticity.
4. D. Enable the CloudTrail file integrity feature on an Amazon S3 bucke
5. E. Create an IAM policy that grants the Security team access to the file integrity logs stored in the S3 bucket.
6. F. Enable the CloudTrail file integrity feature on the trai
7. G. Use the digest file created by CloudTrail to verify the integrity of the delivered CloudTrail files.
8. H. Create an AWS Lambda function that is triggered each time a new file is delivered to the CloudTrail bucke
9. I. Configure the Lambda function to execute an MD5 hash check on the file, and store the result on a tag in an Amazon S3 objec
10. J. The Security team can use the information on the tag to verify the integrity of the file.

Correct Answer: C
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

A company is using Docker containers for an application deployment and wants to move its application to AWS. The company currently manages its own clusters on premises to manage the deployment of these containers. It wants to deploy its application to a managed service in AWS and wants the entire flow of the deployment process to be automated. In addition, the company has the following requirements:
Focus first on the development workload. The environment must be easy to manage.
Deployment should be repeatable and reusable for new environments. Store the code in a GitHub repository.
Which solution will meet these requirements?

1. A. Set up an Amazon ECS environmen
2. B. Use AWS CodePipeline to create a pipeline that is triggered on a commit to the GitHub repositor
3. C. Use AWS CodeBuild to create the container images and AWS CodeDeploy to publish the container image to the ECS environment.
4. D. Use AWS CodePipeline that triggers on a commit from the GitHub repository, build the container images with AWS CodeBuild, and publish the container images to Amazon EC
5. E. In the final stage, use AWS CloudFormation to create an Amazon ECS environment that gets the container images from the ECR repository.
6. F. Create a Kubernetes Cluster on Amazon EC2. Use AWS CodePipeline to create a pipeline that is triggered when the code is committed to the repositor
7. G. Create the container images with a Jenkins server on EC2 and store them in the Docker Hu
8. H. Use AWS Lambda from the pipeline to trigger the deployment to the Kubernetes Cluster.
9. I. Set up an Amazon ECS environmen
10. J. Use AWS CodePipeline to create a pipeline that is triggered on a commit to the GitHub repositor
11. K. Use AWS CodeBuild to create the container and store it in the Docker Hu
12. L. Use an AWS Lambda function to trigger a deployment and pull the new container image from the Docker Hub.

Correct Answer: A

A company wants to use a grid system for a proprietary enterprise in-memory data store on top of AWS. This system can run in multiple server nodes in any Linux-based distribution. The system must be able to reconfigure the entire cluster every time a node is added or removed. When adding or removing nodes, an / etc./cluster/nodes.config file must be updated, listing the IP addresses of the current node members of that cluster
The company wants to automate the task of adding new nodes to a cluster. What can a DevOps Engineer do to meet these requirements?

1. A. Use AWS OpsWorks Stacks to layer the server nodes of that cluste
2. B. Create a Chef recipe that populates the content of the /etc/cluster/nodes.config file and restarts the service by using the current members of the laye
3. C. Assign that recipe to the Configure lifecycle event.
4. D. Put the file nodes.config in version contro
5. E. Create an AWS CodeDeploy deployment configuration and deployment group based on an Amazon EC2 tag value for the cluster node
6. F. When adding a new node to the cluster, update the file with all tagged instances, and make a commit in version contro
7. G. Deploy the new file and restart the services.
8. H. Create an Amazon S3 bucket and upload a version of the etc/cluster/nodes.config fil
9. I. Create a crontab script that will poll for that S3 file and download it frequentl
10. J. Use a process manager, such as Monit or systemd, to restart the cluster services when it detects that the new file was modifie
11. K. When adding a node to the cluster, edit the file's most recent member
12. L. Upload the new file to the S3 bucket.
13. M. Create a user data script that lists all members of the current security group of the cluster and automatically updates the /etc/cluster/nodes.config file whenever a new instance is added to the cluster

Correct Answer: A
https://docs.aws.amazon.com/opsworks/latest/userguide/workingcookbook-events.html

You currently have the following setup in AWS
1) An Elastic Load Balancer
2) Auto Scaling Group which launches EC2 Instances
3) AMIs with your code pre-installed
You want to deploy the updates of your app to only a certain number of users. You want to have a
cost-effective solution. You should also be able to revert back quickly. Which of the below solutions is the most feasible one?

1. A. Create a second ELB, and a new Auto Scaling Group assigned a new Launch Configuratio
2. B. Create a new AMI with the updated ap
3. C. Use Route53 Weighted Round Robin records to adjust the proportion of traffic hitting the two ELBs.
4. D. Create new AM Is with the new ap
5. E. Then use the new EC2 instances in half proportion to the older instances.
6. F. Redeploy with AWS Elastic Beanstalk and Elastic Beanstalk version
7. G. Use Route 53 Weighted Round Robin records to adjust the proportion of traffic hitting the two ELBs
8. H. Create a full second stack of instances, cut the DNS over to the new stack of instances, and change the DNS back if a rollback is needed.

Correct Answer: A
The Weighted Routing policy of Route53 can be used to direct a proportion of traffic to your application. The best option is to create a second CLB, attach the new Autoscaling Group and then use Route53 to divert the traffic.
Option B is wrong because just having EC2 instances running with the new code will not help.
Option C is wrong because Clastic beanstalk is good for development environments, and also there is no mention of having 2 environments where environment url's
can be swapped.
Option D is wrong because you still need Route53 to split the traffic.
For more information on Route53 routing policies, please refer to the below link:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy. html

A company uses federated access for its AWS environment The available roles are created and managed using AWS CloudFormation from a CI/CD pipeline. All changes should be made to the IAM roles through the pipeline. The security team found that changes are being made to the roles out-of-band and would like to detect when this occurs.
Which action will accomplish this?

1. A. Use Amazon Inspector rules to detect and notify when a CloudFormation stack has a configuration change.
2. B. Use an AWS Trusted Advisor CloudWatch Events rule to detect and notify when a CloudFormation stack has a configuration change.
3. C. Use AWS CloudTrail to detect and notify when a CloudFormation stack has detected a configuration change.
4. D. Use an AWS Config rule to detect and notify when a CloudFormation stack has detected a configuration change.

Correct Answer: D