Free AWS-Certified-DevOps-Engineer-Professional Exam Braindumps

A company wants to automatically re-create its infrastructure using AWS CloudFormation as part of the company's quality assurance (QA) pipeline. For each QA run, a new VPC must be created in a single account, resources must be deployed into the VPC, and tests must be run against this new infrastructure. The company policy states that all VPCs must be peered with a central management VPC to allow centralized logging. The company has existing CloudFormation templates to deploy its VPC and associated resources.
Which combination of steps will achieve the goal in a way that is automated and repeatable? (Choose two.)

1. A. Create an AWS Lambda function that is invoked by an Amazon CloudWatch Events rule when a CreateVpcPeeringConnection API call is mad
2. B. The Lambda function should check the source of the peering request, accepts the request, and update the route tables for the management VPC to allow traffic to go over the peering connection.
3. C. In the CloudFormation template:Invoke a custom resource to generate unique VPC CIDR ranges for the VPC and subnets.Create a peering connection to the management VPC.Update route tables to allow traffic to the management VPC.
4. D. In the CloudFormation template:Use the Fn::Cidr function to allocate an unused CIDR range for the VPC and subnets.Create a peering connection to the management VPC.Update route tables to allow traffic to the management VPC.
5. E. Modify the CloudFormation template to include a mappings object that includes a list of /16 CIDR ranges for each account where the stack will be deployed.
6. F. Use CloudFormation StackSets to deploy the VPC and associated resources to multiple AWS accounts using a custom resource to allocate unique CIDR range
7. G. Create peering connections from each VPC to the central management VPC and accept those connections in the management VPC.

Correct Answer: BD

A company has established tagging and configuration standards for its infrastructure resources running on AWS. A DevOps Engineer is developing a design that will provide a near-real-time dashboard of the compliance posture with the ability to highlight violations.
Which approach meets the stated requirements?

1. A. Define the resource configurations in AWS Service Catalog, and monitor the AWS Service Catalog compliance and violations in Amazon CloudWatc
2. B. Then, set up and share a live CloudWatch dashboar
3. C. Set up Amazon SNS notifications for violations and corrections.
4. D. Use AWS Config to record configuration changes and output the data to an Amazon S3 bucke
5. E. Createan Amazon QuickSight analysis of the dataset, and use the information on dashboards and mobile devices.
6. F. Create a resource group that displays resources with the specified tags and those without tag
7. G. Use the AWS Management Console to view compliant and non-compliant resources.
8. H. Define the compliance and tagging requirements in Amazon inspecto
9. I. Output the results to Amazon CloudWatch Log
10. J. Build a metric filter to isolate the monitored elements of interest and present the data in a CloudWatch dashboard.

Correct Answer: B
https://aws.amazon.com/about-aws/whats-new/2019/03/aws-config-now-supports-tagging-of-aws-config-resour

A company uses AWS CodePipeline to manage and deploy infrastructure as code. The infrastructure is defined in AWS CloudFormation templates and is primarily comprised of multiple Amazon EC2 instances and Amazon RDS databases. The Security team has observed many operators creating inbound security group rules with a source CIDR of 0 0 0 0/0 and would like to proactively stop the deployment of rules with open CIDRs
The DevOps Engineer will implement a predeptoyment step that runs some security checks over the CloudFormation template before the pipeline processes it. This check should allow only inbound security group rules with a source CIDR of 0.0.0.0/0 if the rule has the description "Security Approval Ref XXXXX (where XXXXX is a preallocated reference). The pipeline step should fail if this condition is not met and the deployment should be blocked
How should this be accomplished?

1. A. Enable a SCP in AWS Organization
2. B. The policy should deny access to the API call Create Security GroupRule if the rule specifies 0.0.0.0/0 without a description referencing a security approval
3. C. Add an initial stage to CodePipeline called Security Chec
4. D. This stage should call an AWS Lambda function that scans the CloudFormation template and fails the pipeline if it finds 0.0.0.0/0 in a security group without a description referencing a security approval
5. E. Create an AWS Config rule that is triggered on creation or edit of resource type EC2 SecurityGroup.This rule should call an AWS Lambda function to send a failure notification if the security group has any rules with a source CIDR of 0.0.0.0/0 without a description referencing a security approval.
6. F. Modify the IAM role used by CodePipelin
7. G. The IAM policy should deny access.

Correct Answer: B

A DevOps Engineer just joined a new company that is already running workloads on Amazon EC2 instances. AWS has been adopted incrementally with no central governance. The Engineer must now assess how well the existing deployments comply with the following requirements:
*EC2 instances are running only approved AMIs.
*Amazon EBS volumes are encrypted.
*EC2 instances have an Owner tag.
*Root login over SSH is disabled on EC2 instances.
Which services should the Engineer use to perform this assessment with the LEAST amount of effort? (Select TWO.)

1. A. AWS Config
2. B. Amazon GuardDuty
3. C. AWS System Manager
4. D. AWS Directory Service
5. E. Amazon Inspector

Correct Answer: AE
https://docs.aws.amazon.com/ja_jp/inspector/latest/userguide/inspector_security-best-practices.html

A DevOps Engineer is developing a deployment strategy that will allow for data-driven decisions before a feature is fully approved for general availability. The current deployment process uses AWS CloudFormation and blue/green-style deployments. The development team has decided that customers should be randomly assigned to groups, rather than using a set percentage, and redirects should be avoided.
What process should be followed to implement the new deployment strategy?

1. A. Configure Amazon Route 53 weighted records for the blue and green stacks, with 50% of trafficconfigured to route to each stack.
2. B. Configure Amazon CloudFront with an AWS Lambda@Edge function to set a cookie when CloudFront receives a reques
3. C. Assign the user to a version A or B, and configure the web server to redirect to version A or B.
4. D. Configure Amazon CloudFront with an AWS Lambda@Edge function to set a cookie when CloudFront receives a reques
5. E. Assign the user to a version A or B, then return the corresponding version to the viewer.
6. F. Configure Amazon Route 53 with an AWS Lambda function to set a cookie when Amazon CloudFront receives a reques
7. G. Assign the user to version A or B, then return the corresponding version to the viewer.

Correct Answer: C
https://docs.aws.amazon.com/zh_cn/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html