- (Exam Topic 1)
A SysOps administrator applies the following policy to an AWS CloudFormation stack:

What is the result of this policy?

1. A. Users that assume an IAM role with a logical ID that begins with "Production" are prevented from running the update-stack command.
2. B. Users can update all resources in the stack except for resources that have a logical ID that begins with "Production".
3. C. Users can update all resources in the stack except for resources that have an attribute that begins with "Production".
4. D. Users in an IAM group with a logical ID that begins with "Production" are prevented from running the update-stack command.

Correct Answer: B

- (Exam Topic 1)
A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?

1. A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR range
2. B. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Log
3. C. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.
4. D. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instance
5. E. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances.
6. F. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requestsfrom noncorporate CIDR range
7. G. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.
8. H. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by ta
9. I. Tag the EC2 instances with an identifie
10. J. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.

Correct Answer: C
https://aws.amazon.com/blogs/security/how-to-auto-remediate-internet-accessible-ports-with-aws-config-and-aw

- (Exam Topic 1)
An AWS Lambda function is intermittently failing several times a day A SysOps administrator must find out how often this error has occurred in the last 7 days Which action will meet this requirement in the MOST operationally efficient manner?

1. A. Use Amazon Athena to query the Amazon CloudWatch logs that are associated with the Lambda function
2. B. Use Amazon Athena to query the AWS CloudTrail logs that are associated with the Lambda function
3. C. Use Amazon CloudWatch Logs Insights to query the associated Lambda function logs
4. D. Use Amazon Elasticsearch Service (Amazon ES) to stream the Amazon CloudWatch logs for the Lambda function

Correct Answer: C

- (Exam Topic 1)
With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?

1. A. Deny Pos
2. B. Pu
3. C. and Delete on the bucket.
4. D. Enable server-side encryption on the bucket.
5. E. Enable Amazon S3 versioning on the bucket.
6. F. Enable snapshots on the bucket.

Correct Answer: B

- (Exam Topic 1)
A company needs to restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC only. All traffic must be over the AWS private network.
What actions should the SysOps administrator take to meet these requirements?

1. A. Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
2. B. Create a VPC endpoint for the S3 bucket, and create an S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
3. C. Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances full access to the S3 bucket.
4. D. Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic destined for Amazon S3 through the NAT gateway.

Correct Answer: B
While IAM policy (letter A) also can be used, it does not enforce everyone. The only option that enforces everyone is policy configured directly in the bucket S3.