A company has multiple accounts in an organization in AWS Organizations. The company's SecOps team needs to receive an Amazon Simple Notification Service (Amazon SNS) notification if any account in the organization turns off the Block Public Access feature on an Amazon S3 bucket. A DevOps engineer must implement this change without affecting the operation of any AWS accounts. The implementation must ensure that individual member accounts in the organization cannot turn off the notification. Which solution will meet these requirements?
Correct Answer: C
Explanation:
Amazon GuardDuty is primarily on threat detection and response, not configuration monitoring A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.
Question 2
A company has an organization in AWS Organizations. The organization includes workload accounts that contain enterprise applications. The company centrally manages users from an operations account. No users can be created in the workload accounts. The company recently added an operations team and must provide the operations team members with administrator access to each workload account. Which combination of actions will provide this access? (Choose three.)
Correct Answer: B, D, E
Explanation:
Since the company manages users centrally in the operations account and does not allow users in workload accounts, the proper AWS cross-account access design is to create an IAM user for each operations team member in the operations account (D), create a SysAdmin role with the AdministratorAccess policy in each workload account and configure its trust policy to allow the operations account to assume it (B), and create a SysAdmins IAM group in the operations account with permissions to perform sts:AssumeRole on the SysAdmin roles in all workload accounts (E). This allows operations team members to authenticate once in the operations account and then assume administrator roles in the workload accounts without creating local users there, which follows AWS security best practices for centralized identity management.
Question 3
A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing. aOccasionally, some application servers are being terminated after failing ELB HTTP health checks. The developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated. How can log collection be automated?
Correct Answer: D
Explanation:
When an instance in an Auto Scaling group is about to be terminated, you can use an Auto Scaling lifecycle hook to place it in the Terminating:Wait state, which delays termination and provides time to perform custom actions. An Amazon EventBridge rule can capture the EC2 Instance-terminate Lifecycle Action event and trigger an AWS Lambda function. The Lambda function can then use AWS Systems Manager (SSM) Run Command to execute a script on the instance, collect the application logs, and upload them to Amazon S3. After the logs are safely stored, the Lambda function calls CompleteLifecycleAction to allow the instance termination to proceed. This is the recommended AWS-native solution for automatically preserving logs from instances that are being terminated, making D the correct answer.
Demo Practice Mode
You are viewing only the questions marked as Demo.