Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam DOP-C02 Topic 9 Question 27 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 27
Topic #: 9
[All DOP-C02 Questions]

A company uses Amazon EC2 as its primary compute platform. A DevOps team wants to audit the company's EC2 instances to check whether any prohibited applications have been installed on the EC2 instances.

Which solution will meet these requirements with the MOST operational efficiency?

Show Suggested Answer Hide Answer
Suggested Answer: A

* Configure AWS Systems Manager on Each Instance:

AWS Systems Manager provides a unified interface for managing AWS resources. Install the Systems Manager agent on each EC2 instance to enable inventory management and other features.

* Use AWS Systems Manager Inventory:

Systems Manager Inventory collects metadata about your instances and the software installed on them. This data includes information about applications, network configurations, and more.

Enable Systems Manager Inventory on all EC2 instances to gather detailed information about installed applications.

* Use Systems Manager Resource Data Sync to Synchronize and Store Findings in an Amazon S3 Bucket:

Resource Data Sync aggregates inventory data from multiple accounts and regions into a single S3 bucket, making it easier to query and analyze the data.

Configure Resource Data Sync to automatically transfer inventory data to an S3 bucket for centralized storage.

* Create an AWS Lambda Function that Runs When New Objects are Added to the S3 Bucket:

Use an S3 event to trigger a Lambda function whenever new inventory data is added to the S3 bucket.

The Lambda function can parse the inventory data and check for the presence of prohibited applications.

* Configure the Lambda Function to Identify Prohibited Applications:

The Lambda function should be programmed to scan the inventory data for any known prohibited applications and generate alerts or take appropriate actions if such applications are found.

Example Lambda function in Python

import json

import boto3

def lambda_handler(event, context):

s3 = boto3.client('s3')

bucket = event['Records'][0]['s3']['bucket']['name']

key = event['Records'][0]['s3']['object']['key']

response = s3.get_object(Bucket=bucket, Key=key)

inventory_data = json.loads(response['Body'].read().decode('utf-8'))

prohibited_apps = ['app1', 'app2']

for instance in inventory_data['Instances']:

for app in instance['Applications']:

if app['Name'] in prohibited_apps:

# Send notification or take action

print(f'Prohibited application found: {app['Name']} on instance {instance['InstanceId']}')

return {'statusCode': 200, 'body': json.dumps('Check completed')}

By leveraging AWS Systems Manager Inventory, Resource Data Sync, and Lambda, this solution provides an efficient and automated way to audit EC2 instances for prohibited applications.


AWS Systems Manager Inventory

AWS Systems Manager Resource Data Sync

S3 Event Notifications

AWS Lambda

Contribute your Thoughts:

Laticia
5 months ago
Haha, I wonder if the prohibited apps are things like Doom or Solitaire. Gotta keep those productivity-killers off the company servers!
upvoted 0 times
Lewis
4 months ago
D) Designate Amazon CloudWatch Logs as the log destination for all application instances Run an automated script across all instances to create an inventory of installed applications Configure the script to forward the results to CloudWatch Logs Create a CloudWatch alarm that uses filter patterns to search log data to identify prohibited applications.
upvoted 0 times
...
Kirk
4 months ago
C) Configure AWS Systems Manager on each instance. Use Systems Manager Inventory. Filter a trail in AWS CloudTrail for Systems Manager Inventory events to identify prohibited applications.
upvoted 0 times
...
Latricia
4 months ago
B) Configure AWS Systems Manager on each instance Use Systems Manager Inventory Create AWS Config rules that monitor changes from Systems Manager Inventory to identify prohibited applications.
upvoted 0 times
...
Una
5 months ago
A) Configure AWS Systems Manager on each instance Use AWS Systems Manager Inventory Use Systems Manager resource data sync to synchronize and store findings in an Amazon S3 bucket Create an AWS Lambda function that runs when new objects are added to the S3 bucket. Configure the Lambda function to identify prohibited applications.
upvoted 0 times
...
...
Maxima
5 months ago
C is a good option, but I'm not sure filtering CloudTrail events is as efficient as the dedicated inventory and notification approach in A and B.
upvoted 0 times
...
Eura
5 months ago
I'm not sure, I think option B could also be a good choice with AWS Config rules monitoring changes from Systems Manager Inventory.
upvoted 0 times
...
Rolland
5 months ago
I agree with Sue. Option A seems to be the most operational efficient solution for auditing EC2 instances.
upvoted 0 times
...
Corrie
5 months ago
D looks like a lot of manual work compared to the other options. Relying on CloudWatch Logs and custom scripts doesn't seem as streamlined as the Systems Manager solutions.
upvoted 0 times
Aliza
4 months ago
C) Configure AWS Systems Manager on each instance. Use Systems Manager Inventory. Filter a trail in AWS CloudTrail for Systems Manager Inventory events to identify prohibited applications.
upvoted 0 times
...
Tequila
5 months ago
A) Configure AWS Systems Manager on each instance Use AWS Systems Manager Inventory Use Systems Manager resource data sync to synchronize and store findings in an Amazon S3 bucket Create an AWS Lambda function that runs when new objects are added to the S3 bucket. Configure the Lambda function to identify prohibited applications.
upvoted 0 times
...
...
Jeannetta
6 months ago
I'm leaning towards B. The Config rules will continuously monitor for changes and detect any prohibited apps, which is pretty efficient in my opinion.
upvoted 0 times
Margo
5 months ago
Yeah, it's definitely efficient to have Config rules in place for that.
upvoted 0 times
...
Stefan
5 months ago
I think B is a good choice too. Continuous monitoring is key.
upvoted 0 times
...
...
Sue
6 months ago
I think option A is the best choice because it uses AWS Systems Manager Inventory and AWS Lambda function to identify prohibited applications efficiently.
upvoted 0 times
...
Coleen
6 months ago
Option A seems the most efficient. Using AWS Systems Manager Inventory and S3 integration with a Lambda function to identify prohibited apps is a robust solution.
upvoted 0 times
Caitlin
5 months ago
Option C might be a bit more complex with filtering CloudTrail events, but it could still be effective.
upvoted 0 times
...
Jade
5 months ago
Option B could also work by configuring AWS Config rules to monitor changes from Systems Manager Inventory.
upvoted 0 times
...
Lezlie
5 months ago
I agree, option A with AWS Systems Manager Inventory and S3 integration seems like the best choice.
upvoted 0 times
...
...

Save Cancel