Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam DOP-C02 Topic 6 Question 36 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 36
Topic #: 6
[All DOP-C02 Questions]

A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: A, E

This corresponds to Option A: Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.

* Step 2: Isolate EC2 Instances using Lambda and Security Groups When an EC2 instance is compromised, it needs to be isolated from the network. This can be done by creating a security group with no inbound or outbound rules and attaching it to the instance. A Lambda function can handle this process and can be triggered automatically by an Amazon EventBridge rule when a specific tag (e.g., 'isolation') is applied to the compromised instance.

Action: Create a Lambda function that attaches an isolated security group (with no inbound or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to trigger the Lambda function when the 'isolation' tag is applied to the instance.

Why: This automates the isolation process, ensuring that any compromised instances are immediately cut off from the network, reducing the potential damage from the compromise.

This corresponds to Option E: Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.

Contribute your Thoughts:

Izetta
4 days ago
Haha, an 'explicit Deny' rule on all traffic? That's like locking yourself in a room and throwing away the key.
upvoted 0 times
...
Jeniffer
6 days ago
I'm glad they're using an SCP to restrict access. It's like having a bouncer at the door, keeping the bad guys out.
upvoted 0 times
...
Carolynn
9 days ago
Isolating compromised EC2 instances? That's like putting a band-aid on a bullet wound, but at least it's better than nothing.
upvoted 0 times
...
Maile
13 days ago
But we also need to create an SCP with a Deny statement for the ec2 action to isolate compromised instances.
upvoted 0 times
...
Fredric
14 days ago
I agree. It will help automate the process across all AWS accounts.
upvoted 0 times
...
Krissy
17 days ago
I think we should use AWS Cloud Formation StackSets to deploy the necessary resources.
upvoted 0 times
...
Mila
25 days ago
Woah, this question is like a maze of AWS services! I hope I don't get lost in the CloudFormation and StackSets.
upvoted 0 times
Krissy
3 days ago
A: I think using CloudFormation StackSets to deploy resources across all accounts is key here.
upvoted 0 times
...
Hector
9 days ago
B: I know, it's like a puzzle trying to figure out the right combination of steps.
upvoted 0 times
...
Diane
13 days ago
A: Yeah, this question is definitely testing our knowledge of AWS services.
upvoted 0 times
...
...

Save Cancel