AWS-Certified-DevOps-Engineer-Professional Free Practice Test

A DevOps engineer needs to back up sensitive Amazon S3 objects that are stored within an S3 bucket with a private bucket policy using S3 cross-Region replication functionality. The objects need to be copied to a target bucket in a different AWS Region and account.
Which combination of actions should be performed to enable this replication? (Choose three.)

1. A. Create a replication IAM role in the source account
2. B. Create a replication I AM role in the target account.
3. C. Add statements to the source bucket policy allowing the replication IAM role to replicate objects.
4. D. Add statements to the target bucket policy allowing the replication IAM role to replicate objects.
5. E. Create a replication rule in the source bucket to enable the replication.
6. F. Create a replication rule in the target bucket to enable the replication.

Correct Answer: ADE
S3 cross-Region replication (CRR) automatically replicates data between buckets across different AWS Regions. To enable CRR, you need to add a replication configuration to your source bucket that specifies the destination bucket, the IAM role, and the encryption type (optional). You also need to grant permissions to the IAM role to perform replication actions on both the source and destination buckets. Additionally, you can choose the destination storage class and enable additional replication options such as S3 Replication Time Control (S3 RTC) or S3 Batch Replication. https://medium.com/cloud-
techies/s3-same-region-replication-srr-and-cross-region-replication-crr-34d446806bab https://aws.amazon.com/getting-started/hands-on/replicate-data-using-amazon-s3- replication/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html

A company's application development team uses Linux-based Amazon EC2 instances as bastion hosts. Inbound SSH access to the bastion hosts is restricted to specific IP addresses, as defined in the associated security groups. The company's security team wants to receive a notification if the security group rules are modified to allow SSH access from any IP address.
What should a DevOps engineer do to meet this requirement?

1. A. Create an Amazon EventBridge rule with a source of aws.cloudtrail and the event name AuthorizeSecurityGroupIngres
2. B. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
3. C. Enable Amazon GuardDuty and check the findings for security groups in AWS Security Hu
4. D. Configure an Amazon EventBridge rule with a custom pattern that matches GuardDuty events with an output of NON_COMPLIAN
5. E. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target.
6. F. Create an AWS Config rule by using the restricted-ssh managed rule to check whether security groups disallow unrestricted incoming SSH traffi
7. G. Configure automatic remediation to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.
8. H. Enable Amazon Inspecto
9. I. Include the Common Vulnerabilities and Exposures-1.1 rules package to check the security groups that are associated with the bastion host
10. J. Configure Amazon Inspector to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

Correct Answer: A
https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/

A company is using an organization in AWS Organizations to manage multiple AWS accounts. The company's development team wants to use AWS Lambda functions to meet resiliency requirements and is rewriting all applications to work with Lambda functions that are deployed in a VPC. The development team is using Amazon Elastic Pile System (Amazon EFS) as shared storage in Account A in the organization.
The company wants to continue to use Amazon EPS with Lambda Company policy requires all serverless projects to be deployed in Account B.
A DevOps engineer needs to reconfigure an existing EFS file system to allow Lambda functions to access the data through an existing EPS access point.
Which combination of steps should the DevOps engineer take to meet these requirements? (Select THREE.)

1. A. Update the EFS file system policy to provide Account B with access to mount and write to the EFS file system in Account A.
2. B. Create SCPs to set permission guardrails with fine-grained control for Amazon EFS.
3. C. Create a new EFS file system in Account B Use AWS Database Migration Service (AWS DMS) to keep data from Account A and Account B synchronized.
4. D. Update the Lambda execution roles with permission to access the VPC and the EFS file system.
5. E. Create a VPC peering connection to connect Account A to Account B.
6. F. Configure the Lambda functions in Account B to assume an existing IAM role in Account A.

Correct Answer: AEF
A Lambda function in one account can mount a file system in a different account. For this scenario, you configure VPC peering between the function VPC and the file system VPC. https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html https://aws.amazon.com/ru/blogs/storage/mount-amazon-efs-file-systems-cross-account- from-amazon-eks/
* 1. Need to update the file system policy on EFS to allow mounting the file system into Account B.
## File System Policy
$ cat file-system-policy.json
{
"Statement": [
{
"Effect": "Allow", "Action": [
"elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"
],
"Principal": {
"AWS": "arn:aws:iam:::root" # Replace with AWS account ID of EKS cluster
}
}
]
}
* 2. Need VPC peering between Account A and Account B as the pre-requisite
* 3. Need to assume cross-account IAM role to describe the mounts so that a specific mount can be chosen.

A company wants to set up a continuous delivery pipeline. The company stores application code in a private GitHub repository. The company needs to deploy the application components to Amazon Elastic Container Service (Amazon ECS). Amazon EC2, and AWS Lambda. The pipeline must support manual approval actions.
Which solution will meet these requirements?

1. A. Use AWS CodePipeline with Amazon EC
2. B. Amazon EC2, and Lambda as deploy providers.
3. C. Use AWS CodePipeline with AWS CodeDeploy as the deploy provider.
4. D. Use AWS CodePipeline with AWS Elastic Beanstalk as the deploy provider.
5. E. Use AWS CodeDeploy with GitHub integration to deploy the application.

Correct Answer: B
https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment- steps.html

A company has many applications. Different teams in the company developed the applications by using multiple languages and frameworks. The applications run on premises and on different servers with different operating systems. Each team has its own release protocol and process. The company wants to reduce the complexity of the release and maintenance of these applications.
The company is migrating its technology stacks, including these applications, to AWS. The
company wants centralized control of source code, a consistent and automatic delivery pipeline, and as few maintenance tasks as possible on the underlying infrastructure.
What should a DevOps engineer do to meet these requirements?

1. A. Create one AWS CodeCommit repository for all application
2. B. Put each application's code in a different branc
3. C. Merge the branches, and use AWS CodeBuild to build the application
4. D. Use AWS CodeDeploy to deploy the applications to one centralized application server.
5. E. Create one AWS CodeCommit repository for each of the application
6. F. Use AWS CodeBuild to build the applications one at a tim
7. G. Use AWS CodeDeploy to deploy the applications to one centralized application server.
8. H. Create one AWS CodeCommit repository for each of the application
9. I. Use AWS CodeBuild to build the applications one at a time and to create one AMI for each serve
10. J. Use AWS CloudFormation StackSets to automatically provision and decommission Amazon EC2 fleets by using these AMIs.
11. K. Create one AWS CodeCommit repository for each of the application
12. L. Use AWS CodeBuild to build one Docker image for each application in Amazon Elastic Container Registry (Amazon ECR). Use AWS CodeDeploy to deploy the applications to Amazon Elastic Container Service (Amazon ECS) on infrastructure that AWS Fargate manages.

Correct Answer: D
because of "as few maintenance tasks as possible on the underlying infrastructure". Fargate does that better than "one centralized application server"