Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 220

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Choose two.)

Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.

Create an SCP that has a Deny statement for the ec2:* action with a condition of "aws:RequestTag/isolation": false.

Attach the SCP to the root of the organization.

Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to add a network ACL. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.

Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance.

Correct Answer: A, E

To meet the requirement of automatically isolating compromised Amazon EC2 instances across all AWS accounts when they receive a specific tag, you should use AWS CloudFormation StackSets and a CloudFormation template integrated with AWS Lambda and Amazon EventBridge. AWS CloudFormation StackSets can be used to deploy the necessary CloudFormation stacks across multiple AWS accounts within the organization, ensuring consistency and automation. The CloudFormation template should create an EC2 instance role with no IAM policies attached and a security group with no inbound or outbound rules to effectively isolate the instances. The template should also create an AWS Lambda function to attach this role and security group to compromised instances when a specific tag is applied. An Amazon EventBridge rule will trigger this Lambda function upon the tagging of compromised instances, automating their isolation.

Discussion

Jay_2pt0_1Options: AE

What a weirdly worded question. I tend to agree with A & E. We need to isolate an EC2 that has a certain tag.

fdoxxxOptions: BC

in my opinion it could not be AE because we would need a mechanism to apply this template to the right EC2 - I would vote for BC

dkpOptions: AE

ill go with AE

ogerberOptions: AE

A,E for me

MalonJay

AE The question says isolate. What does isolate mean? Prevent outgoing and incoming traffic.

trungtdOptions: AE

This CloudFormation template creates the necessary resources: An EC2 instance role with no IAM policies, ensuring the instance cannot perform any actions. A security group with no inbound or outbound rules, effectively isolating the instance from all network traffic. A Lambda function that will be triggered by an EventBridge rule when a specific tag is applied to an EC2 instance. This function will attach the isolated security group to the compromised instance, ensuring it is isolated from any network communication. Combining these steps will provide an automated and consistent approach to isolate compromised EC2 instances across all AWS accounts in the organization.

xdkonorek2Options: AE

BD is wrong isolating the instance doesn't mean "don't touch it" with aws actions but to block traffic from and to it

seetptOptions: BC

BC for me

seetptOptions: BC

BC for me

vn_thanhtung

so funny, how to isolate incoming traffic. B,C means deny action with EC2

vn_thanhtung

Answer is A, E

Ola2234

CE for me. Option D is wrong because we can not use Security Group for an explicit deny rule. Option B is quite misleading with the resourceTagIsolation set to False instead of True.