Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

NEW YEAR SALE: Up to 50% OFF on bundle purchases plus FREEBIES for lucky winners

Find answers, ask questions, and connect with our
community around the world.

Home Forums General Discussions SA Pro – Review mode set 3, question 48

  • SA Pro – Review mode set 3, question 48

  • AndreaCoda

    Member
    January 7, 2021 at 12:20 am

    Review mode set 3, question 48:

    A company wants to improve the security of their cloud resources by ensuring that all running EC2 instances were launched from pre-approved AMIs only, which are set by the Security team. Their Development team has an agile CI/CD process which should not be stalled by the new automated solution that they’ll implement. Any new application release must be deployed first before the solution could analyze if it is using a pre-approved AMI or not.

    Which of the following options enforces the required controls with the LEAST impact on the development process? (Select TWO.)

    1. Set up IAM policies to restrict the ability of users to launch EC2 instances based on a specific set of pre-approved AMIs which were tagged by the Security team.

    2. Set up Amazon Inspector to do regular scans using a custom assessment template to determine if the EC2 instance is based upon a pre-approved AMI. Terminate the instances and inform the Security team by email about the security breach.

    3. Set up AWS Config rules to determine any launches of EC2 instances based on non-approved AMIs and then trigger an AWS Lambda function to automatically terminate the instance. Afterwards, publish a message to an SNS topic to inform the Security team about the occurrence.

    4. Set up the required policies, roles and permissions to a centralized IT Operations team, which will manually process the security approval steps to ensure that EC2 instances are only launched from pre-approved AMIs.

    5. Set up a scheduled Lambda function to search through the list of running EC2 instances within your VPC and determine if any of these are based on unauthorized AMIs. Afterwards, publish a new message to an SNS topic to inform the Security team that this occurred and then terminate the EC2 instance.

    The right answer is 3 and 5, while I selected 1 and 3. Explanation for why 1 is wrong is the following: “setting up an IAM Policy will totally restrict the development team from launching EC2 instances with unapproved AMIs which could impact their CI/CD process. The scenario clearly says that the solution should not have any interruption in the company’s development process.”

    Now my question is: if blocking the dev team from launching an EC2 instance from an unapproved AMI is impacting their CI/CD process, how can (3), which is automatically terminating them, not be impacting them???

  • Kenneth-Samonte-Tutorials-Dojo

    Member
    January 13, 2021 at 12:17 am

    Hello AndreaCoda,

    Thank you for your feedback.

    The explanation for the incorrect answer:

    Set up IAM policies to restrict the ability of users to launch EC2 instances based on a specific set of pre-approved AMIs which were tagged by the Security team is incorrect because setting up an IAM Policy will totally restrict the development team from launching EC2 instances with unapproved AMIs which could impact their CI/CD process. The scenario clearly says that the solution should not have any interruption in the company’s development process.

    >> I understand that the explanation may have emphasized hard on the “should not have any interruption in the company’s development process” part, but this option is incorrect because it does not satisfy the requirement on the question itself “Any new application release must be deployed first before the solution could analyze if it is using a pre-approved AMI or not.

    If the development team creates a new AMI for their deployments, the CI/CD process will not run because they can’t launch the new AMI that is not yet approved by the Security Team.

    how can (3), which is automatically terminating them, not be impacting them???

    (3) Set up AWS Config rules to determine any launches of EC2 instances based on non-approved AMIs and then trigger an AWS Lambda function to automatically terminate the instance. Afterwards, publish a message to an SNS topic to inform the Security team about the occurrence.

    >> In contrast to the incorrect answer above, this answer is correct because it satisfies the requirement: “Any new application release must be deployed first before the solution could analyze if it is using a pre-approved AMI or not.

    It won’t hinder the CI/CD process as it will allow the new application AMI to be deployed. You can schedule AWS config to run at regular intervals (ex: like 2 hours) to check if any EC2 instances that are using a non-approved AMI, and then take action to delete the instances. This answer is still acceptable because it allows the development team to deploy their new AMI, and test it. Even though after the regular interval check for AWS Config, the instances will be deleted automatically.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,

    Kenneth Samonte @ Tutorials Dojo

  • AndreaCoda

    Member
    January 13, 2021 at 6:59 pm

    Good point, thanks for taking the time to address my question!

    Regards,

    Andrea

Log in to reply.

Original Post
0 of 0 posts June 2018
Now