UPDATED [2023] Pass Amazon AWS-DevOps-Engineer-Professional Exam in First Attempt Guaranteed [Q91-Q113]

UPDATED [2023] Pass Amazon AWS-DevOps-Engineer-Professional Exam in First Attempt Guaranteed

Pass AWS-DevOps-Engineer-Professional Exam Latest Practice Questions

To be eligible for the AWS-DevOps exam, candidates must have at least two years of experience in provisioning, operating, and managing AWS environments. They should also have a strong understanding of DevOps methodologies and practices, including continuous integration and delivery (CI/CD), infrastructure as code (IaC), and monitoring and logging. The exam consists of 75 multiple-choice and multiple-response questions, and candidates have 180 minutes to complete it.

 

NEW QUESTION # 91
A company wants to ensure that their EC2 instances are secure. They want to be notified if any new vulnerabilities are discovered on their instances, and they also want an audit trail of all login activities on the instances.
Which solution will meet these requirements?

• A. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances. Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.
• B. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.
• C. Configure Amazon Inspector to detect vulnerabilities on the EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.
• D. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instances. Install the AWS Config daemon to capture system logs and view them in the AWS Config console.

Answer: C

NEW QUESTION # 92
You are a Devops Engineer for your company. You are responsible for creating Cloudformation templates for your company. There is a requirement to ensure that an S3 bucket is created for all resources in development for logging purposes. How would you achieve this?

• A. Createa parameter in the Cloudformation template and then use the Condition clause inthe template to create an S3 bucket if the parameter has a value of development
• B. Usethe metadata section in the Cloudformation template to decide on whether tocreate the S3 bucket or not.
• C. Createan S3 bucket from before and then just provide access based on the tag valuementioned in the Cloudformation template
• D. Createseparate Cloudformation templates for Development and production.

Answer: A

Explanation:
Explanation
The AWS Documentation mentions the following
You might use conditions when you want to reuse a template that can create resources in different contexts, such as a test environment versus a production environment In your template, you can add an CnvironmentType input parameter, which accepts either prod or test as inputs. For the production environment, you might include Amazon CC2 instances with certain capabilities; however, for the test environment, you want to use reduced capabilities to save money. With conditions, you can define which resources are created and how they're configured for each environment type.
For more information on Cloudformation conditions please visit the below url
* http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/cond
itions-section-structure.html

NEW QUESTION # 93
A financial institution provides security-hardened AMIs of Red Hat Enterprise Linux 7.4 and Windows Server
2016 for its application teams to use in deployments. A DevOps Engineer needs to implement an automated daily check of each AMI to monitor for the latest CVE.
How should the Engineer implement these checks using Amazon Inspector?

• A. Tag each instance with SecurityCheck: True. Implement a scheduled Amazon Inspector assessment to tun once each day for all instances with the tag SecurityCheck: True. Amazon Inspector should automatically perform an in-place security assessment for each AMI.
• B. Tag each AMI with SecurityCheck: True. Implement a scheduled Amazon Inspector assessment to run once each day for all AMIs with the tag SecurityCheck: True. Amazon Inspector should automatically launch an Amazon EC2 instance for each AMI and perform a security assessment.
• C. Tag each AMI with SecurityCheck: True. Configure AWS Step Functions to first compose an Amazon Inspector assessment template for all AMIs that have the tag SecurityCheck: True and second to make a call to the Amazon Inspector API action StartAssessmentRun. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day.
• D. Install the Amazon Inspector agent in each AMI. Configure AWS Step Functions to launch an Amazon EC2 instance for each operating system from the hardened AMI, and tag the instance with SecurityCheck: True. Once EC2 instances have booted up, Step Functions will trigger an Amazon Inspector assessment for all instances with the tag SecurityCheck: True. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day.

Answer: D

NEW QUESTION # 94
A company is using AWS for an application. The Development team must automate its deployments. The team has set up an AWS CodePipeline to deploy the application to Amazon EC2 instances by using AWS CodeDeploy after it has been built using the AWS CodeBuild service. The team would like to add automated testing to the pipeline to confirm that the application is healthy before deploying it to the next stage of the pipeline using the same code. The team requires a manual approval action before the application is deployed, even if the test is successful. The testing and approval must be accomplished at the lowest costs, using the simplest management solution. Which solution will meet these requirements?

• A. Add a test action after the last deploy action of the pipeline. Configure the action to use CodeBuild to perform the required tests. If these tests are successful, mark the action as successful. Add a manual approval action that uses Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage.
• B. Create a new pipeline that uses a source action that gets the code from the same repository as the first pipeline. Add a deploy action to deploy the code to a test environment. Use a test action using AWS Lambda to test the deployment. Add a manual approval action by using Amazon SNS to notify the team, and add a deploy action to deploy the application to the next stage.
• C. Add a manual approval action after the last deploy action of the pipeline. Use Amazon SNS to inform the team of the stage being triggered. Next, add a test action using CodeBuild to do the required tests. At the end of the pipeline, add a deploy action to deploy the application to the next stage.
• D. Add a test action after the last deployment action. Use a Jenkins server on Amazon EC2 to do the required tests and mark the action as successful if the tests pass. Create a manual approval action that uses Amazon SQS to notify the team and add a deploy action to deploy the application to the next stage.

Answer: A

Explanation:
https://docs.aws.amazon.com/codebuild/latest/userguide/sample-build-notifications.html

NEW QUESTION # 95
An Information Security policy requires that all publicly accessible systems be patched with critical OS security patches within 24 hours of a patch release. All instances are tagged with the Patch Group key set to 0. Two new AWS Systems Manager patch baselines for Windows and Red Hat Enterprise Linux (RHEL) with zero-day delay for security patches of critical severity were created with an auto-approval rule. Patch Group 0 has been associated with the new patch baselines.
Which two steps will automate patch compliance and reporting? (Select TWO.)

• A. Use the AWS Systems Manager Run Command to associate the AWS-ApplyPatchBaseline document with instances tagged with Patch Group 0.
• B. Create an AWS Systems Manager Maintenance Window and add a target with Patch Group 0. Add a task that runs the AWS-ApplyPatchBaseline document with a daily schedule.
• C. Create an AWS Systems Manager Maintenance Window and add a target with Patch Group 0. Add a task that runs the AWS-InstallWindowsUpdates document with a daily schedule.
• D. Create an AWS Systems Manager State Manager configuration. Associate the AWS- RunPatchBaseline task with the configuration and add a target with Patch Group 0.
• E. Create an AWS Systems Manager Maintenance Window with a daily schedule and add a target with Patch Group 0. Add a task that runs the AWS-RunPatchBaseline document with the Install action.

Answer: C,D

NEW QUESTION # 96
Your company has developed a web application and is hosting it in an Amazon S3 bucket configured for static website hosting.
The application is using the AWS SDK for JavaScript in the browser to access data stored in an Amazon DynamoDB table.
How can you ensure that API keys for access to your data in DynamoDB are kept secure?

• A. Configure S3 bucket tags with your AWS access keys for your bucket hosing your website so that the application can query them for access.
• B. Store AWS keys in global variables within your application and configure the application to use these credentials when making requests.
• C. Configure a web identity federation role within IAM to enable access to the correct DynamoDB resources and retrieve temporary credentials.
• D. Create an Amazon S3 role in IAM with access to the specific DynamoDB tables, and assign it to the bucket hosting your website.

Answer: C

NEW QUESTION # 97
A company is using AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline to deploy applications automatically to an Amazon EC2 instance. A DevOps Engineer needs to perform a security assessment scan of the operating system on every application deployment to the environment.
How should this be automated?

• A. Use Amazon CloudWatch Events to monitor for Auto Scaling event notifications of new instances and configure CloudWatch Events to trigger an Amazon Inspector scan.
• B. Use Amazon Inspector as a CodePipeline task after the successful use of CodeDeploy to deploy the code to the systems.
• C. Use Amazon CloudWatch Events to monitor for AWS CodeDeploy notifications of a successful code deployment and configure CloudWatch Events to trigger an Amazon Inspector scan.
• D. Use Amazon CloudWatch Events to monitor for CodePipeline notifications of a successful code deployment and configure CloudWatch Events to trigger an AWS X-Ray scan.

Answer: A

NEW QUESTION # 98
You are currently using Elastic Beanstalk to host your production environment. You need to rollout updates to your application hosted on this environment. This is a critical application which is why there is a requirement that the rollback, if required, should be carried out with the least amount of downtime. Which of the following deployment strategies would ideally help achieve this purpose

• A. Use Rolling updates in Elastic Beanstalk so that if the deployment fails, the rolling updates feature would roll back to the last deployment.
• B. Create another parallel environment in elastic beanstalk. Use the Swap URL feature.
• C. Create another parallel environment in elastic beanstalk. Create a new Route53 Domain name for the new environment and release that url to the users.
• D. Create a Cloudformation template with the same resources as those in the Elastic beanstalk environment.
  If the deployment fails, deploy the Cloudformation template.

Answer: B

Explanation:
Explanation
Since the requirement is to have the least amount of downtime, the ideal way is to create a blue green deployment environment and then use the Swap URL feature to swap environments for the new deployment and then do the swap back, incase the deployment fails.
The AWS Documentation mentions the following on the SWAP url feature of Elastic Beanstalk Because Elastic Beanstalk performs an in-place update when you update your application versions, your application may become unavailable to users for a short period of time. It is possible to avoid this downtime by performing a blue/green deployment, where you deploy the new version to a separate environment, and then swap CNAMCs of the two environments to redirect traffic to the new version instantly.

NEW QUESTION # 99
Which is not a restriction on AWS EBS Snapshots?

• A. Snapshots which are shared cannot be used as a basis for other snapshots.
• B. You cannot share unencrypted snapshots.
• C. Snapshot restorations are restricted to the region in which the snapshots are created.
• D. You cannot share a snapshot containing an AWS Access Key ID or AWS Secret Access Key.

Answer: A

Explanation:
Snapshots shared with other users are usable in full by the recipient, including but limited to the ability to base modified volumes and snapshots.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot- permissions.html

NEW QUESTION # 100
Which of the following are ways to secure data at rest and in transit in AWS. Choose 3 answers from the
options given below

• A. UselOPS volumes when working with EBS volumes on EC2 Instances
• B. Encryptall EBS volumes attached to EC2 Instances
• C. Useserver side encryption for S3
• D. UseSSL/HTTPS when using the Elastic Load Balancer

Answer: B,C,D

Explanation:
Explanation
The AWS documentation mentions the following
Amazon CBS encryption offers you a simple encryption solution for your EBS volumes without the need for
you to build, maintain, and secure your own key
management infrastructure. When you create an encrypted CBS volume and attach it to a supported instance
type, the following types of data are encrypted:
Data at rest inside the volume
All data moving between the volume and the instance
All snapshots created from the volume Data protection refers to protecting data while in-transit (as it travels to
and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data
in transit by using SSL or by using client-side encryption. You have the following options of protecting data at
rest in Amazon S3.
Use Server-Side encryption - You request Amazon S3 to encrypt your object before saving it on disks in its
data centers and decrypt it when you download the objects.
Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3. In
this case, you manage the encryption process, the encryption keys, and related tools.
You can create a load balancer that uses the SSL/TLS protocol for encrypted connections (also known as SSL
offload). This feature enables traffic encryption between your load balancer and the clients that initiate HTTPS
sessions, and for connections between your load balancer and your L~C2 instances. For more information on
securing data at rest, please refer to the below link:
* https://dO3wsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf

NEW QUESTION # 101
You have deployed a Cloudformation template which is used to spin up resources in your account. Which of
the following status in Cloudformation represents a failure.

• A. DELETE_COMPLETE
• B. ROLLBACK_IN_PROGRESS
• C. UPDATE_COMPLETE_CLEANUPJN_PROGRESS
• D. UPDATE_IN_PROGRESS

Answer: B

Explanation:
Explanation
AWS Cloud Formation provisions and configures resources by making calls to the AWS services that are
described in your template.
After all the resources have been created, AWS Cloud Formation reports that your stack has been created. You
can then start using the resources in your stack. If
stack creation fails, AWS CloudFormation rolls back your changes by deleting the resources that it created.
The below snapshot from Cloudformation shows what happens when there is an error in the stack creation.

For more information on how Cloud Formation works, please refer to the below link:
* http://docs.ws.amazon.com/AWSCIoudFormation/latest/UserGuide/cfn-whatis-howdoesitwork-html

NEW QUESTION # 102
When your application is loaded onto an Opsworks stack, which of the following event is triggered by Opsworks?

• A. Deploy
• B. Shutdown
• C. Setup
  C Configure

Answer: A

Explanation:
Explanation
When you deploy an application, AWS Ops Works Stacks triggers a Deploy event, which runs each layer's Deploy recipes. AWS OpsWorks Stacks also installs stack configuration and deployment attributes that contain all of the information needed to deploy the app, such as the app's repository and database connection data. For more information on the Deploy event please refer to the below link:
* http://docs.aws.amazon.com/opsworks/latest/userguide/workingapps.html

NEW QUESTION # 103
Your application Amazon Elastic Compute Cloud (EC2) instances bootstrap by using a master configuration file that is kept in a version-enabled Amazon Simple Storage Service (S3) bucket.
Which one of the following methods should you use to securely install the current configuration version onto the instances in a cost-effective way?

• A. Store the IAM credentials in the Amazon EC2 user data for each instance, and then simply get the object from S3, because the default is the current version.
• B. Create an Amazon DynamoDB table to store the different versions of the configuration file.
  Associate AWS Identity and Access Management (IAM) EC2 roles to the Amazon EC2 instances, and reference the DynamoDB table to get the latest file from Amazon Simple Storage Service (S3).
• C. Associate an IAM EC2 role to the instances, and then simply get the object from Amazon S3, because the default is the current version.
• D. Associate an IAM S3 role to the bucket, list the object versions using the Amazon S3 API, and then get the latest object.
• E. Associate an IAM EC2 role to the instances, list the object versions using the Amazon S3 API, and then get the latest object.

Answer: C

NEW QUESTION # 104
A DevOps team needs to query information in application logs that are generated by an application running multiple Amazon EC2 instances deployed with AWS Elastic Beanstalk.
Instance log streaming to Amazon CloudWatch Logs was enabled on Elastic Beanstalk.
Which approach would be the MOST cost-efficient?

• A. Use a CloudWatch Logs subscription to send the log data to an Amazon Kinesis Data Firehouse stream that has an Amazon S3 bucket destination. Use a new Amazon Redshift cluster and Amazon Redshift Spectrum to query the log data from the bucket.
• B. Use a CloudWatch Logs subscription to send the log data to an Amazon Kinesis Data Firehouse stream that has an Amazon S3 bucket destination. Use Amazon Athena to query the log data from the bucket.
• C. Use a CloudWatch Logs subscription to trigger an AWS Lambda function to send the log data to an Amazon Kinesis Data Firehouse stream that has an Amazon S3 bucket destination. Use a new Amazon Redshift cluster and Amazon Redshift Spectrum to query the log data from the bucket.
• D. Use a CloudWatch Logs subscription to trigger an AWS Lambda function to send the log data to an Amazon Kinesis Data Firehouse stream that has an Amazon S3 bucket destination. Use Amazon Athena to query the log data from the bucket.

Answer: B

Explanation:
Explanation
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html

NEW QUESTION # 105
A company has developed a Node.js web application which provides REST services to store and retrieve time series data. The web application is built by the Development team on company laptops, tested locally, and manually deployed to a single on-premises server, which accesses a local MySQL database. The company is starting a trial in two weeks, during which the application will undergo frequent updates based on customer feedback. The following requirements must be met:
*The team must be able to reliably build, test, and deploy new updates on a daily basis, without downtime or degraded performance.
*The application must be able to scale to meet an unpredictable number of concurrent users during the trial.
Which action will allow the team to quickly meet these objectives?

• A. Create two Amazon Lightsail virtual private servers for Node.js; one for test and one for production.
  Build the Node.js application using existing process and upload it to the new Lightsail test server using the AWS CLI. Test the application, and if it passes all tests, upload it to the production server. During the trial, monitor the production server usage, and if needed, increase performance by upgrading the instance type.
• B. Modify the application to use Amazon DynamoDB instead of a local MySQL database. Use AWS OpsWorks to create a stack for the application with a DynamoDB layer, an Application Load Balancer layer, and an Amazon EC2 instance layer. Use a Chef recipe to build the application and a Chef recipe to deploy the application to the EC2 instance layer. Use custom health checks to run unit tests on each instance with rollback on failure.
• C. Configure AWS Elastic Beanstalk to automatically build the application using AWS CodeBuild and to deploy it to a test environment that is configured to support auto scaling. Create a second Elastic Beanstalk environment for production. Use Amazon RDS to store data. When new versions of the applications have passed all tests, use Elastic Beanstalk "~swap cname' to promote the test environment to production.
• D. Develop an AWS CloudFormation template to create an Application Load Balancer and two Amazon EC2 instances with Amazon EBS (SSD) volumes in an Auto Scaling group with rolling updates enabled. Use AWS CodeBuild to build and test the Node.js application and store it in an Amazon S3 bucket. Use user- data scripts to install the application and the MySQL database on each EC2 instance.
  Update the stack to deploy new application versions.

Answer: C

NEW QUESTION # 106
You are building out a layer in a software stack on AWS that needs to be able to scale out to react to increased demand as fast as possible. You are running the code on EC2 instances in an Auto Scaling Group behind an ELB. Which application code deployment method should you use?

• A. Create a new Auto Scaling Launch Configuration with UserData scripts configured to pull the latest code at all times.
• B. Create a Dockerfile when preparing to deploy a new version to production and publish it to S3.
  Use UserData in the Auto Scaling Launch configuration to pull down the Dockerfile from S3 and run it when new instances launch.
• C. SSH into new instances that come online, and deploy new code onto the system by pulling it from an S3 bucket, which is populated by code that you refresh from source control on new pushes.
• D. Bake an AMI when deploying new versions of code, and use that AMI for the Auto Scaling Launch Configuration.

Answer: D

Explanation:
... the bootstrapping process can be slower if you have a complex application or multiple applications to install. Managing a fleet of applications with several build tools and dependencies can be a challenging task during rollouts. Furthermore, your deployment service should be designed to do faster rollouts to take advantage of Auto Scaling.
https://d0.awsstatic.com/whitepapers/overview-of-deployment-options-on-aws.pdf

NEW QUESTION # 107
A company wants to use Amazon ECS to provide a Docker container runtime environment. For compliance reasons, all Amazon EBS volumes used in the ECS cluster must be encrypted. Rolling updates will be made to the cluster instances and the company wants the instances drained of all tasks before being terminated. How can these requirements be met? (Select TWO.)

• A. Use AWS CodePipeline to build a pipeline that discovers the latest Amazon-provided ECS AMI, then copies the image to an encrypted AMI outputting the encrypted AMI ID. Use the encrypted AMI ID when deploying the cluster.
• B. Modify the default ECS AMI user data to create a script that executes docker rm ""f {id} for all running container instances. Copy the script to the /etc/ init.d/rc.d directory and execute chconfig enabling the script to run during operating system shutdown.
• C. Create an Auto Scaling lifecycle hook backed by an AWS Lambda function that uses the AWS SDK to mark a terminating instance as DRAINING. Prevent the lifecycle hook from completing until the running tasks on the instance are zero.
• D. Copy the default AWS CloudFormation template that ECS uses to deploy cluster instances. Modify the template resource EBS configuration setting to set "Encrypted: True' and include the AWS KMS alias: "aws/ebs' to encrypt the AMI.
• E. Create an IAM role that allows the action ECS::EncryptedImage. Configure the AWS CLI and a profile to use this role. Start the cluster using the AWS CLI providing the --use-encrypted-image and --kms-key arguments to the create-cluster ECS command.

Answer: C,D

NEW QUESTION # 108
A financial institution provides security-hardened AMIs of Red Hat Enterprise Linux 7.4 and Windows Server 2016 for its application teams to use in deployments. A DevOps Engineer needs to implement an automated daily check of each AMI to monitor for the latest CVE. How should the Engineer implement these checks using Amazon Inspector?

• A. Tag each instance with SecurityCheck: True. Implement a scheduled Amazon Inspector assessment to tun once each day for all instances with the tag SecurityCheck: True. Amazon Inspector should automatically perform an in-place security assessment for each AMI.
• B. Tag each AMI with SecurityCheck: True. Implement a scheduled Amazon Inspector assessment to run once each day for all AMIs with the tag SecurityCheck: True. Amazon Inspector should automatically launch an Amazon EC2 instance for each AMI and perform a security assessment.
• C. Tag each AMI with SecurityCheck: True. Configure AWS Step Functions to first compose an Amazon Inspector assessment template for all AMIs that have the tag SecurityCheck: True and second to make a call to the Amazon Inspector API action StartAssessmentRun. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day.
• D. Install the Amazon Inspector agent in each AMI. Configure AWS Step Functions to launch an Amazon EC2 instance for each operating system from the hardened AMI, and tag the instance with SecurityCheck: True. Once EC2 instances have booted up, Step Functions will trigger an Amazon Inspector assessment for all instances with the tag SecurityCheck: True. Implement a scheduled Amazon CloudWatch Events rule that triggers Step Functions once each day.

Answer: D

Explanation:
https://aws.amazon.com/pt/blogs/security/how-to-set-up-continuous-golden-ami-vulnerability- assessments-with-amazon-inspector/

NEW QUESTION # 109
You run a 2000-engineer organization. You are about to begin using AWS at a large scale for the first time.
You want to integrate with your existing identity management system running on Microsoft Active
Directory, because your organization is a power-user of Active Directory. How should you manage your
AWS identities in the most simple manner?

• A. Use an AWS Directory Sync Domain running on AWS Lambda
• B. Use a large AWS Directory Service Simple AD.
• C. Use a large AWS Directory Service AD Connector.
• D. Use an Sync Domain running on AWS Directory Service.

Answer: C

Explanation:
You must use AD Connector as a power-user of Microsoft Active Directory. Simple AD only works with a
subset of AD functionality. Sync Domains do not exist; they are made up answers.
AD Connector is a directory gateway that allows you to proxy directory requests to your on-premises
Microsoft Active Directory, without caching any information in the cloud. AD Connector comes in 2 sizes;
small and large. A small AD Connector is designed for smaller organizations of up to 500 users. A large
AD Connector is designed for larger organizations of up to 5,000 users.
Reference: https://aws.amazon.com/directoryservice/details/

NEW QUESTION # 110
You need to deploy an AWS stack in a repeatable manner across multiple environments. You have selected CloudFormation as the right tool to accomplish this, but have found that there is a resource type you need to create and model, but is unsupported by CloudFormation. How should you overcome this challenge?

• A. Submit a ticket to the AWS Forums. AWS extends CloudFormation Resource Types by releasing tooling to the AWS Labs organization on GitHub. Their response time is usually 1 day, and they complete requests within a week or two.
• B. Create a CloudFormation Custom Resource Type by implementing create, update, and delete functionality, either by subscribing a Custom Resource Provider to an SNS topic, or by implementing the logic in AWS Lambda.
• C. Use a CloudFormation Custom Resource Template by selecting an API call to proxy for create, update, and delete actions. CloudFormation will use the AWS SDK, CLI, or API method of your choosing as the state transition function for the resource type you are modeling.
• D. Instead of depending on CloudFormation, use Chef, Puppet, or Ansible to author Heat templates, which are declarative stack resource definitions that operate over the OpenStack hypervisor and cloud environment.

Answer: B

Explanation:
Explanation
Custom resources enable you to write custom provisioning logic in templates that AWS Cloud Formation runs anytime you create, update (if you changed the custom resource), or delete stacks. For example, you might want to include resources that aren't available as AWS Cloud Formation resource types. You can include those resources by using custom resources. That way you can still manage all your related resources in a single stack.
Use the AWS:: Cloud Formation:: Custom Resource or Custom ::String resource type to define custom resources in your templates. Custom resources require one property: the service token, which specifies where AWS CloudFormation sends requests to, such as an Amazon SNS topic.
For more information on Custom Resources in Cloudformation, please visit the below U RL:
* http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/template-custom-resources.html

NEW QUESTION # 111
A company runs a production application workload in a single AWS account that uses Amazon Route 53, AWS Elastic Beanstalk, and Amazon RDS. In the event of a security incident, the Security team wants the application workload to fail over to a new AWS account. The Security team also wants to block all access to the original account immediately, with no access to any AWS resources in the original AWS account, during forensic analysis.
What is the most cost-effective way to prepare to fail over to the second account prior to a security incident?

• A. Save/copy the Amazon Route 53 configurations for use in a different AWS account after an incident.
  Save/copy Elastic Beanstalk configuration files to a different account. Enable the RDS database read replica in a different account.
• B. Save/copy the Amazon Route 53 configurations for use in a different AWS account after an incident.
  Mirror the configuration of Elastic Beanstalk in a different account. Copy snapshots of the RDS database to a different account.
• C. Migrate the Amazon Route 53 configuration to a dedicated AWS account. Mirror the Elastic Beanstalk configuration in a different account. Enable RDS Database Read Replicas in a different account.
• D. Migrate the Amazon Route 53 configuration to a dedicated AWS account. Save/copy the Elastic Beanstalk configuration files in a different AWS account. Copy snapshots of the RDS Database to a different account.

Answer: D

Explanation:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-configuration- savedconfig.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-migrating.html

NEW QUESTION # 112
Your company has recently extended its datacenter into a VPC on AWS. There is a requirement for on-premise users manage AWS resources from the AWS console. You don't want to create 1AM users for them again. Which of the below options will fit your needs for authentication?

• A. UseOAuth 2.0 to retrieve temporary AWS security credentials to enable your membersto sign in to the AWS Management Console.
• B. Useyour on-premises SAML2.0-compliant identity provider (IDP) to retrieve temporarysecurity credentials to enable members to sign in to the AWS ManagementConsole.
• C. Useyour on-premises SAML 2 O-compliant identity provider (IDP) to grant themembers federated access to the AWS Management Console via the AWS singlesign-on (SSO) endpoint.
• D. Useweb Identity Federation to retrieve AWS temporary security credentials toenable your members to sign in to the AWS Management Console.

Answer: C

Explanation:
Explanation
You can use a role to configure your SAML 2.0-compliant IdP and AWS to permit your federated users to access the AWS Management Console. The role grants the user permissions to carry out tasks in the console.
For more information on aws SAML, please visit the below URL
* http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_ena ble-console-saml.html

NEW QUESTION # 113
......

Amazon AWS-DevOps-Engineer-Professional Study Guide Archives : https://www.real4dumps.com/AWS-DevOps-Engineer-Professional_examcollection.html

Download AWS-DevOps-Engineer-Professional Mock Test Study Material: https://drive.google.com/open?id=1oHhNp3YpDQMLjQIINh7OKsILabQ25SNC