Ends in
00
hrs
00
mins
00
secs
SHOP NOW

48-hour Extension Anniversary Sale - $3 OFF ALL Reviewers!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional Error in the quizz

  • Error in the quizz

  • claude

    Member
    May 2, 2020 at 1:27 pm

    Hello, I came again across this inconsistent qustion/answers/explanations

    Section-Based – Configuration Management and Infrastructure as Code (DevOps)

    21. QUESTION

    Category: DOP – Configuration Management and Infrastructure as Code

    An application is hosted in an Auto Scaling group of Amazon EC2 instances with public IP addresses in a public subnet. The instances are configured with a user data script which fetch and install the required system dependencies of the application from the Internet upon launch. A change was recently introduced to prohibit any Internet access from these instances to improve the security but after its implementation, the instances could not get the external dependencies anymore. Upon investigation, all instances are properly running but the hosted application is not starting up completely due to the incomplete installation.

    Which of the following is the MOST secure solution to solve this issue and also ensure that the instances do not have public Internet access?

    supposed right answer

    A/ Download all of the external application dependencies from the public Internet and then store them to an S3 bucket. Set up a VPC endpoint for the S3 bucket and then assign an IAM instance profile to the instances in order to allow them to fetch the required dependencies from the bucket.

    My supposed right answer :

    B/ Use a NAT gateway to disallow any traffic to the VPC which originated from the public Internet. Deploy the Amazon EC2 instances to a private subnet then set the subnet’s route table to use the NAT gateway as its default route.

    explanations :

    Incorrect

    You can use a Lambda function to validate part of the deployment of an updated Amazon ECS application. During an Amazon ECS deployment with validation tests, CodeDeploy can be configured to use a load balancer with two target groups: one production traffic listener and one test traffic listener. To add a validation test, you first implement the test in a Lambda function. Next, in your deployment AppSpec file, you specify the Lambda function for the lifecycle hook you want to test. If a validation test fails, the deployment stops, it is rolled back, and marked as failed. If the test succeeds, the deployment continues to the next deployment lifecycle event or hook.

    The content in the ‘hooks’ section of the AppSpec file varies, depending on the compute platform for your deployment. The ‘hooks’ section for an EC2/On-Premises deployment contains mappings that link deployment lifecycle event hooks to one or more scripts. The ‘hooks’ section for a Lambda or an Amazon ECS deployment specifies Lambda validation functions to run during a deployment lifecycle event. If an event hook is not present, no operation is executed for that event.

    When the deployment starts, the deployment lifecycle events start to execute one at a time. Some lifecycle events are hooks that only execute Lambda functions specified in the AppSpec file. An AWS Lambda hook is one Lambda function specified with a string on a new line after the name of the lifecycle event. On the AfterAllowTestTraffic hook, you can specify Lambda functions that can validate the deployment using the test traffic.

    So obviously explanations do not match the question.

    By the way, what about the right answer here ? is it A or B ?

  • Jon-Bonso

    Administrator
    May 3, 2020 at 8:00 pm

    Hi Claude,

    Thank you for bringing this up to our attention. I have rectified this mismatched item and the change is already reflected in our practice tests.

    Here’s the explanation:

    You can use an S3 bucket to store the required dependencies and then set up a VPC Endpoint to allow your EC2 instances to access the data without having to traverse the public Internet.

    Hence, the correct answer is the option that says: Download all of the external application dependencies from the public Internet and then store them to an S3 bucket. Set up a VPC endpoint for the S3 bucket and then assign an IAM instance profile to the instances in order to allow them to fetch the required dependencies from the bucket.

    The option that says: Deploy the Amazon EC2 instances in a private subnet and associate Elastic IP addresses on each of them. Run a custom shell script to disassociate the Elastic IP addresses after the application has been successfully installed and is running properly is incorrect because it is possible that the custom shell script may fail and the disassociation of the Elastic IP addresses might not be fully implemented which will allow the EC2 instances to access the Internet.

    The option that says: Use a NAT gateway to disallow any traffic to the VPC which originated from the public Internet. Deploy the Amazon EC2 instances to a private subnet then set the subnet’s route table to use the NAT gateway as its default route is incorrect because although a NAT Gateway can safeguard the instances from any incoming traffic that were initiated from the Internet, it still permits them to send outgoing requests externally.

    The option that says: Set up a brand new security group for the Amazon EC2 instances. Use a whitelist configuration to only allow outbound traffic to the site where all of the application dependencies are hosted. Delete the security group rule once the installation is complete. Use AWS Config to monitor the compliance is incorrect because this solution has a high operational overhead since the actions are done manually. This is susceptible to human error such as in the event that the DevOps team forgets to delete the security group. The use of AWS Config will just monitor and inform you about the security violation but it won’t do anything to remediate the issue.

    References:

    https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html

    https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

  • claude

    Member
    May 4, 2020 at 12:42 am

    Hello,

    All clear, thanks a lot!

    BR,

    CB.

  • Jon-Bonso

    Administrator
    May 5, 2020 at 10:57 am

    You’re welcome Claude and again, thank you for pointing this issue out. Much appreciated!

Viewing 1 - 4 of 4 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now