A financial institution provides security-hardened AMIs of Red Hat Enterprise Linux 7.4 and Windows Server 2016 for its application teams to use in deployments.
A DevOps Engineer needs to implement an automated daily check of each AMI to monitor for the latest CVE.
How should the Engineer implement these checks using Amazon Inspector?

1. A. Install the Amazon Inspector agent in each AM
2. B. Configure AWS Step Functions to launch an Amazon EC2 instance for each operating system from the hardened AMI, and tag the instance with SecurityCheck: Tru
3. C. Once EC2 instances have booted up, Step Functions will trigger an Amazon Inspector assessment for all instances with the tag SecurityCheck: Tru
4. D. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day.
5. E. Tag each AMI with SecurityCheck: Tru
6. F. Configure AWS Step Functions to first compose an Amazon Inspector assessment template for all AMIs that have the tag SecurityCheck: True and second to make a call to the Amazon Inspector API action StartAssessmentRu
7. G. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day.
8. H. Tag each AMI with SecurityCheck: Tru
9. I. Implement a scheduled Amazon Inspector assessment to run once each day for all AMIs with the tag SecurityCheck: Tru
10. J. Amazon Inspector should automatically launch an Amazon EC2 instance for each AMI and perform a security assessment.
11. K. Tag each instance with SecurityCheck: Tru
12. L. Implement a scheduled Amazon Inspector assessment to run once each day for all instances with the tag SecurityCheck: Tru
13. M. Amazon Inspector should automatically perform an in-place security assessment for each AMI.

Correct Answer: A
https://aws.amazon.com/pt/blogs/security/how-to-set-up-continuous-golden-ami-vulnerability-assessments-with

A company needs to introduce automatic DNS failover for a distributed web application to a disaster recovery or standby installation. The DevOps Engineer plans to configure Amazon Route 53 to provide DNS routing to alternate endpoint in the event of an application failure. What steps should the Engineer take to accomplish this? (Select TWO.)

1. A. Create Amazon Route 53 health checks for each endpoint that cannot be entered as alias record
2. B. Ensure firewall and routing rules allow Amazon Route 53 to send requests to the endpoints that are specified in the health checks.
3. C. Create alias records that route traffic to AWS resources and set the value of the Evaluate Target Health option to Yes, then create all the non-alias records.
4. D. Create a governing Amazon Route 53 record set, set it to failover, and associate it with the primary and secondary Amazon Route 53 record sets to distribute traffic to healthy DNS entries.
5. E. Create an Amazon CloudWatch alarm to monitor the primary Amazon Route 53 DNS entr
6. F. Then createan associated AWS Lambda function to execute the failover API call to Route 53 to the secondary DNS entry.

Correct Answer: AC

A defect was discovered in production and a new sprint item has been created for deploying a hotfix. However, any code change must go through the following steps before going into production:
*Scan the code for security breaches, such as password and access key leaks. Run the code through extensive, long running unit tests.
Which source control strategy should a DevOps Engineer use in combination with AWS CodePipeline to complete this process?

1. A. Create a hotfix tag on the last commit of the master branc
2. B. Trigger the development pipeline from the hotfix ta
3. C. Use AWS CodeDeploy with Amazon ECS to do a content scan and run unit test
4. D. Add a manual approval stage that merges the hotfix tag into the master branch.
5. E. Create a hotfix branch from the master branc
6. F. Triger the development pipeline from the hotfix branch.Use AWS CodeBuild to do a content scan and run unit test
7. G. Add a manual approval stage that merges the hotfix branch into the master branch.
8. H. Create a hotfix branch from the master branc
9. I. Triger the development pipeline from the hotfix branch.Use AWS Lambda to do a content scan and run unit test
10. J. Add a manual approval stage that merges the hotfix branch into the master branch.
11. K. Create a hotfix branch from the master branc
12. L. Create a separate source stage for the hotfix branch in the production pipelin
13. M. Trigger the pipeline from the hotfix branc
14. N. Use AWS Lambda to do a content scan and use AWS CodeBuild to run unit test
15. O. Add a manual approval stage that merges the hotfix branch into the master branch.

Correct Answer: B

A company wants to ensure that their EC2 instances are secure. They want to be notified if any new vulnerabilities are discovered on their instances, and they also want an audit trail of all login activities on the instances.
Which solution will meet these requirements?

1. A. Use AWS Systems Manager to detect vulnerabilities on the EC2 instance
2. B. Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.
3. C. Use AWS Systems Manager to detect vulnerabilities on the EC2 instance
4. D. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.
5. E. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instance
6. F. Install the AWS Config daemon to capture system logs and view them in the AWS Config console.
7. G. Configure Amazon Inspector to detect vulnerabilities on the EC2 instance
8. H. Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.

Correct Answer: D

A company’s legacy application uses IAM user credentials to access resources in the company’s AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.
Which solution will meet these requirements?

1. A. Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.
2. B. Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.
3. C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an AWS Lambda function targe
4. D. The function will check the user name account against an exception lis
5. E. If the user is not in the exception list, the function will delete the user.
6. F. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an AWS Lambda function targe
7. G. The function will check the user name and account against an exception lis
8. H. If the user is not in the exception list, the function will delete the user.

Correct Answer: B