• Home
  • Articles
  • 2023 Realistic AWS-DevOps 100% Pass Guaranteed Download Exam Q&A [Q149-Q173]

2023 Realistic AWS-DevOps 100% Pass Guaranteed Download Exam Q&A [Q149-Q173]

Share

2023 Realistic AWS-DevOps 100% Pass Guaranteed Download  Exam Q&A

Accurate AWS-DevOps Answers 365 Days Free Updates

NEW QUESTION # 149
Which of these is not an intrinsic function in AWS CloudFormation?

  • A. Fn::Split
  • B. Fn::Select
  • C. Fn::FindInMap
  • D. Fn::GetAZs

Answer: A

Explanation:
This is the complete list of Intrinsic Functions...: Fn::Base64, Fn::And, Fn::Equals, Fn::If, Fn::Not, Fn::Or, Fn::FindInMap, Fn::GetAtt, Fn::GetAZs, Fn::Join, Fn::Select, Ref
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function- reference.html


NEW QUESTION # 150
A user is testing a new service that receives location updates from 3,600 rental cars every hour.
Which service will collect data and automatically scale to accommodate production workload?

  • A. Amazon EBS
  • B. Amazon EC2
  • C. Amazon Kinesis Firehose
  • D. Amazon API Gateway

Answer: B


NEW QUESTION # 151
Ansible supports running Playbook on the host directly or via SSH. How can Ansible be told to run its playbooks directly on the host?

  • A. Setting `connection: local' in the tasks that run locally.
  • B. Specifying `-type local' on the command line.
  • C. Setting `connection: local' in the Playbook.
  • D. It does not need to be specified; it's the default.

Answer: C

Explanation:
Ansible can be told to run locally on the command line with the `-c' option or can be told via the
`connection: local' declaration in the playbook. The default connection method is `remote'.
Reference: http://docs.ansible.com/ansible/intro_inventory.html#non-ssh-connection-types


NEW QUESTION # 152
You have enabled Elastic Load Balancing HTTP health checking. After looking at the AWS Management Console, you see that all instances are passing health checks, but your customers are reporting that your site is not responding.
What is the cause?

  • A. The health check in place is not sufficiently evaluating the application function.
  • B. Latency in DNS resolution is interfering with Amazon EC2 metadata retrieval.
  • C. The HTTP health checking system is misreporting due to latency in inter-instance metadata synchronization.
  • D. The application is returning a positive health check too quickly for the AWS Management Console to respond.

Answer: A


NEW QUESTION # 153
A user has attached an EBS volume to a running Linux instance as a "/dev/sdf" device.
The user is unable to see the attached device when he runs the command "df -h".
What is the possible reason for this?

  • A. The volume is not attached as a root device
  • B. The volume is not formatted
  • C. The volume is not in the same AZ of the instance
  • D. The volume is not mounted

Answer: D

Explanation:
When a user creates an EBS volume and attaches it as a device, it is required to mount the device. If the device/volume is not mounted it will not be available in the listing.


NEW QUESTION # 154
A company has deployed several applications globally. Recently, Security Auditors found that few Amazon EC2 instances were launched without Amazon EBS disk encryption. The Auditors have requested a report detailing all EBS volumes that were not encrypted in multiple AWS accounts and regions. They also want to be notified whenever this occurs in future.
How can this be automated with the LEAST amount of operational overhead?

  • A. Using AWS CLI, run a script periodically that invokes the aws ec2 describe-volumes query with a JMESPATH query filter. Then, write the output to an Amazon S3 bucket. Set up an S3 event notification to send events using Amazon SNS when new data is written to the S3 bucket.
  • B. Create an AWS Lambda function to set up an AWS Config rule on all the target accounts. Use AWS Config aggregators to collect data from multiple accounts and regions. Export the aggregated report to an Amazon S3 bucket and use Amazon SNS to deliver the notifications.
  • C. Create an AWS CloudFormation template that adds an AWS Config managed rule for EBS encryption.
    Use a CloudFormation stack set to deploy the template across all accounts and regions. Store consolidated evaluation results from config rules in Amazon S3. Send a notification using Amazon SNS when non- compliant resources are detected.
  • D. Set up AWS CloudTrail to deliver all events to an Amazon S3 bucket in a centralized account. Use the S3 event notification feature to invoke an AWS Lambda function to parse AWS CloudTrail logs whenever logs are delivered to the S3 bucket. Publish the output to an Amazon SNS topic using the same Lambda function.

Answer: C

Explanation:
Explanation
https://aws.amazon.com/blogs/aws/aws-config-update-aggregate-compliance-data-across-accounts-regions/
https://docs.aws.amazon.com/config/latest/developerguide/aws-config-managed-rules-cloudformation-templates


NEW QUESTION # 155
Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?

  • A. UseMFA on all users and accounts, especially on the root account.
  • B. Don'twrite down or remember the root account password after creating the AWSaccount.
  • C. UseAWS 1AM Geo-Lock and disallow anyone from logging in except for in your city.
  • D. Useshort but complex password on the root account and any administrators.

Answer: A

Explanation:
Explanation
The AWS documentation mentions the following on MFA
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor-what they know), as well as for an authentication code from their AWS MFA device (the second factor-what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.
For more information on MFA please visit the below link
https://aws.amazon.com/iam/detaiIs/mfa/


NEW QUESTION # 156
You use Amazon Cloud Watch as your primary monitoring system for your web application. After a recent software deployment, your users are getting Intermittent 500 Internal Server Errors when using the web application. You want to create a Cloud Watch alarm, and notify an on-call engineer when these occur. How can you accomplish this using AWS services? Choose three answers from the options given below

  • A. Deploy your web application as an AWS Elastic Beanstalk application. Use the default Elastic Beanstalk Cloudwatch metrics to capture 500 Internal Server Errors. Set a CloudWatch alarm on that metric.
  • B. Create a CloudWatch Logs group and define metric filters that capture 500 Internal Server Errors. Set a CloudWatch alarm on that metric.
  • C. Use Amazon Simple Email Service to notify an on-call engineer when a CloudWatch alarm is triggered.
  • D. Use Amazon Simple Notification Service to notify an on-call engineer when a CloudWatch alarm is triggered.
  • E. Install a CloudWatch Logs Agent on your servers to stream web application logs to CloudWatch.

Answer: B,D,E

Explanation:
Explanation
You can use Cloud Watch Logs to monitor applications and systems using log data Cloud Watch Logs uses your log data for monitoring; so, no code changes are required. For example, you can monitor application logs for specific literal terms (such as "NullReferenceCxception") or count the number of occurrences of a literal term at a particular position in log data (such as "404" status codes in an Apache access log). When the term you are searching for is found. Cloud Watch Logs reports the data to a CloudWatch metric that you specify. Log data is encrypted while in transit and while it is at rest For more information on Cloudwatch logs please refer to the below link:
* http://docs^ws.amazon.com/AmazonCloudWatch/latest/logs/WhatlsCloudWatchLogs.html Amazon CloudWatch uses Amazon SNS to send email. First, create and subscribe to an SNS topic. When you create a CloudWatch alarm, you can add this SNS topic to send an email notification when the alarm changes state.
For more information on SNS and Cloudwatch logs please refer to the below link:
* http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/US_SetupSNS.html


NEW QUESTION # 157
You meet once per month with your operations team to review the past month's data. During the meeting, you realize that 3 weeks ago, your monitoring system which pings over HTTP from outside AWS recorded a large spike in latency on your 3-tier web service API.
You use DynamoDB for the database layer, ELB, EBS, and EC2 for the business logic tier, and SQS, ELB, and EC2 for the presentation layer.
Which of the following techniques will NOT help you figure out what happened?

  • A. Check your CloudTrail log history around the spike's time for any API calls that caused slowness.
  • B. Review CloudWatch Metrics graphs to determine which component(s) slowed the system down.
  • C. Analyze your logs to detect bursts in traffic at that time.
  • D. Review your ELB access logs in S3 to see if any ELBs in your system saw the latency.

Answer: B

Explanation:
Metrics data are available for 2 weeks. If you want to store metrics data beyond that duration, you can retrieve it using our GetMetricStatistics API as well as a number of applications and tools offered by AWS partners.
https://aws.amazon.com/cloudwatch/faqs/


NEW QUESTION # 158
An Application team has three environments for their application: development, pre-production, and production. The team recently adopted AWS CodePipeline. However, the team has had several deployments of misconfigured or nonfunctional development code into the production environment, resulting in user disruption and downtime. The DevOps Engineer must review the pipeline and add steps to identify problems with the application before it is deployed.
What should the Engineer do to identify functional issues during the deployment process?
(Choose two.)

  • A. Create an AWS CodeDeploy action in the pipeline with a deployment configuration that automatically deploys the application code to a limited number of instances. The action then pauses the deployment so that the QA team can review the application functionality. When the review is complete, CodeDeploy resumes and deploys the application to the remaining production Amazon EC2 instances.
  • B. After the deployment process is complete, run a testing activity on an Amazon EC2 instance in a different region that accesses the application to simulate user behavior if unexpected results occur, the testing activity sends a warning to an Amazon SNS topic. Subscribe to the topic to get updates.
  • C. Add an AWS CodeDeploy action in the pipeline to deploy the latest version of the development code to pre-production. Add a manual approval action in the pipeline so that the QA team can test and confirm the expected functionality. After the manual approval action, add a second CodeDeploy action that deploys the approved code to the production environment.
  • D. Use Amazon Inspector to add a test action to the pipeline. Use the Amazon Inspector Runtime Behavior Analysis Inspector rules package to check that the deployed code complies with company security standards before deploying it to production.
  • E. Using AWS CodeBuild to add a test action to the pipeline to replicate common user activities and ensure that the results are as expected before progressing to production deployment.

Answer: A,D


NEW QUESTION # 159
Your organization has decided to implement a third-party configuration management tool that uses a master server from which nodes pull configuration.
You have built a custom base Amazon Machine Image that already has the third-party configuration management agent installed.
You want to use the same base AMI in Development, Test and Production environments, each of which has its own master server.
How should you configure your Amazon EC2 instances to register with the correct master server on launch?

  • A. Use Amazon CloudFormation to describe your environment.
    Configure an input parameter for the master server hostname/address, and use this parameter within an Amazon EC2 UserData script that registers the agent with the master.
  • B. Create a tag for all instances that specifies their environment.
    When launching instances, provide an Amazon EC2 UserData script that gets this tag by querying the MetaData Service and registers the agent with the master.
  • C. Create a script on your third-party configuration management master server that queries the Amazon EC2 API for new instances and registers them with it.
  • D. Use Amazon Simple Workflow Service to automate the process of registering new instances with your master server.
    Use an Environment tag in Amazon EC2 to register instances with the correct master server.

Answer: A


NEW QUESTION # 160
A company wants to migrate a legacy application to AWS and develop a deployment pipeline that uses AWS services only. A DevOps engineer is migrating all of the application code from a Git repository to AWS CodeCommit while preserving the history of the repository. The DevOps engineer has set all the permissions within CodeCommit, installed the Git client and the AWS CLI on a local computer, and is ready to migrate the repository.
Which actions will follow?

  • A. Create the CodeCommit repository using the AWS Management Console. Clone both the Git and CodeCommit repositories to the local computer. Copy the files from the Git repository to the CodeCommit repository on the local computer. Commit the CodeCommit repertory. Validate that the files were migrated, and share the CodeCommit repository.
  • B. Create the CodeCommit repository using the AWS Management Console. Use the console to clone the Git repository into the CodeCommit repository. Validate that the files were migrated, and publish the CodeCommit repository.
  • C. Create the CodeCommit repository using the AWS Management Console or the AWS CLI. Clone the Git repository with a mirror argument to the local computer and push the repository to CodeCommit.
    Validate that the files were migrated, and share the CodeCommit repository.
  • D. Create the CodeCommit repository using the AWS CLI. Clone the Git repository directly to CodeCommit using the AWS CLI. Validate that the files were migrated, and publish the CodeCommit repository.

Answer: C


NEW QUESTION # 161
You need to scale an RDS deployment. You are operating at 10% writes and 90% reads, based on your logging. How best can you scale this in a simple way?

  • A. Create a second master RDS instance and peer the RDS groups.
  • B. Create a Multi-AZ RDS installs and route read traffic to standby.
  • C. Create read replicas for RDS since the load is mostly reads.
  • D. Cache all the database responses on the read side with CloudFront.

Answer: C

Explanation:
The high-availability feature is not a scaling solution for read-only scenarios; you cannot use a standby replica to serve read traffic. To service read-only traffic, you should use a Read Replica.
For more information, see Working with PostgreSQL, MySQL, and MariaDB Read Replicas.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html


NEW QUESTION # 162
Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? Choose 3 Answers from the options below

  • A. Tagging each folder in the bucket
  • B. Setting up a federation proxy or identity provider
  • C. Configuring 1AM role
  • D. Setting up a matching 1AM user for every user in your corporate directory that needs access to a folder in the bucket
  • E. Using AWS Security Token Service to generate temporary tokens

Answer: B,C,E

Explanation:
Explanation
The below diagram showcases how authentication is carried out when having an identity broker. This is an example of a SAML connection, but the same concept holds true for getting access to an AWS resource.

For more information on federated access, please visit the below link:
* http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html
* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_samI.html?icmpid=docs_iam_console
* https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/


NEW QUESTION # 163
A company wants to implement a CI/CD pipeline for building and testing its mobile apps. A DevOps Engineer has been given the following requirements:
* Use AWS CodePipeline to orchestrate the workflow.
* Test the application on real devices.
* Trigger a notification.
* Stage the application binary on a production bucket in a different account.
* Make the application binary publicly accessible.
Which sequence of actions should the Engineer perform in the pipeline to meet the requirements?

  • A. Use AWS CodeCommit as the code source and AWS CodeBuild to compile and package the application.
    Invoke an AWS Lambda function that uploads the application binary to a device farm for testing. Deliver the binary to the production Amazon S3 bucket. Use an S3 bucket policy to allow public read on the production S3 bucket. Trigger notifications by using an Amazon CloudWatch Events rule.
  • B. Use AWS CodeCommit as the code source and AWS CodeDeploy to compile and package the application.
    Use CodeDeploy to deploy the application binary to an AWS Lambda function for testing. Use a third-party library on AWS Lambda to simulate the device platform. Allow a Lambda role to upload to the production Amazon S3 bucket. Make the binary publicly accessible. Trigger notifications using Amazon SNS.
  • C. Use an Amazon S3 bucket as the code source and AWS CodeBuild to compile and package the application. Use AWS CodeDeploy to deploy the application binary to a device farm for testing. Deliver the binary to the production S3 bucket. Use an S3 bucket policy to allow public read on the production S3 bucket. Trigger notifications using an Amazon CloudWatch Events rule with Amazon SNS.
  • D. Use GitHub as the code source and AWS Lambda to compile and package the application. Use another Lambda function to run unit tests and deliver the application binary to a development bucket. Use the binary from the development bucket and install the application on a personal device for testing. Deliver the binary to the production bucket after approval. Trigger notifications using Amazon SNS.

Answer: A


NEW QUESTION # 164
You have an application running on multiple Amazon EC2 instances within an Auto Scaling group.
You notice that instances are being re-spawned as their health checks are failing in Amazon EC2.
However, before you have a chance to diagnose the issue, the affected instances are being terminated by the Auto Scaling service.
You receive notifications of health checks failing and investigate within 20 minutes.
However, this is not enough time to troubleshoot the issue.
What should you change that will enable you to troubleshoot the instance before it is terminated by the Auto Scaling service, while keeping costs minimal?

  • A. Install the Amazon CloudWatch Logs Agent on the instance and configure application and system logs to be sent to the CloudWatch Logs service.
  • B. Create an Auto Scaling Group lifecycle hook to hold the instance in a terminating:wait state until you have completed any troubleshooting.
    When you have completed troubleshooting, wait for the terminating state to expire, or notify to Scaling to complete the lifecycle hook and terminate the Instance.
  • C. Change the "DeleteOnTermination" flag to false in the Auto Scaling group configuration to ensure that instances are not deleted in the future.
  • D. Configure an Amazon SNS topic and associate it with your Auto Scaling group's CloudWatch alarms.
    Configure an Amazon SQS queue as a subscriber of this topic, and then create a fleet of Amazon EC2 workers that poll this queue and instruct the Amazon EC2 Auto Scaling API to remove the instance from the Auto Scaling group when an alarm is triggered.

Answer: B


NEW QUESTION # 165
Your company has recently extended its datacenter into a VPC on AWS. There is a requirement for
on-premise users manage AWS resources from the AWS console. You don't want to create 1AM users for
them again. Which of the below options will fit your needs for authentication?

  • A. UseOAuth 2.0 to retrieve temporary AWS security credentials to enable your membersto sign in to the
    AWS Management Console.
  • B. Useweb Identity Federation to retrieve AWS temporary security credentials toenable your members to
    sign in to the AWS Management Console.
  • C. Useyour on-premises SAML 2 O-compliant identity provider (IDP) to grant themembers federated
    access to the AWS Management Console via the AWS singlesign-on (SSO) endpoint.
  • D. Useyour on-premises SAML2.0-compliant identity provider (IDP) to retrieve temporarysecurity
    credentials to enable members to sign in to the AWS ManagementConsole.

Answer: C

Explanation:
Explanation
You can use a role to configure your SAML 2.0-compliant IdP and AWS to permit your federated users to
access the AWS Management Console. The role grants the
user permissions to carry out tasks in the console.
For more information on aws SAML, please visit the below URL
* http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_ena
ble-console-saml.html


NEW QUESTION # 166
Your company currently runs a large multi-tier web application. One component is an API service that all other components of your application rely on to perform read/write operations. This service must have high availability and zero downtime during deployments.
Which technique should you use to provide cost-effective, zero-downtime deployments for this component?

  • A. Re-deploy your application on Elastic Beanstalk. During deployment, create a new version of your application, and create a new environment running that version in Elastic BeanStalk. Finally, take advantage of the Elastic Beanstalk Swap CNAME operation to switch to the new environment.
  • B. Use an AWS CloudFormation template to re-deploy your application behind a load balancer, and launch a new AWS CloudFormation stack during each deployment. Update your load balancer to send traffic to the new stack, and then deploy your software. Leave your old stacks running, and tag their resources with the version for rollback.
  • C. Re-deploy your application behind a load balancer using an AWS OpsWorks stack and use AWS OpsWorks stack versioning, during deployment create a new version of your application, tell AWS OpsWorks to launch the new version behind your load balancer, and when the new version is launched, terminate the old AWS OpsWorks stack.
  • D. Re-deploy your application behind a load balancer that uses Auto Scaling groups. Create a new identical Auto Scaling group and associate it to your Amazon Route53 zone. Configure Amazon Route53 to auto- weight traffic over to the new Auto Scaling group when all instances are marked as healthy.

Answer: A


NEW QUESTION # 167
A company wants to automatically re-create its infrastructure using AWS CloudFormation as part of the company's quality assurance (QA) pipeline. For each QA run, a new VPC must be created in a single account, resources must be deployed into the VPC, and tests must be run against this new infrastructure. The company policy states that all VPCs must be peered with a central management VPC to allow centralized logging. The company has existing CloudFormation templates to deploy its VPC and associated resources.
Which combination of steps will achieve the goal in a way that is automated and repeatable?
(Choose two.)

  • A. In the CloudFormation template:
    - Invoke a custom resource to generate unique VPC CIDR ranges for the VPC and subnets.
    - Create a peering connection to the management VPC.
    - Update route tables to allow traffic to the management VPC.
  • B. In the CloudFormation template:
    - Use the Fn::Cidr function to allocate an unused CIDR range for the VPC and subnets.
    - Create a peering connection to the management VPC.
    - Update route tables to allow traffic to the management VPC.
  • C. Use CloudFormation StackSets to deploy the VPC and associated resources to multiple AWS accounts using a custom resource to allocate unique CIDR ranges.
    Create peering connections from each VPC to the central management VPC and accept those connections in the management VPC.
  • D. Create an AWS Lambda function that is invoked by an Amazon CloudWatch Events rule when a CreateVpcPeeringConnection API call is made. The Lambda function should check the source of the peering request, accepts the request, and update the route tables for the management VPC to allow traffic to go over the peering connection.
  • E. Modify the CloudFormation template to include a mappings object that includes a list of /16 CIDR ranges for each account where the stack will be deployed.

Answer: A,E


NEW QUESTION # 168
You run a 2000-engineer organization. You are about to begin using AWS at a large scale for the first time.
You want to integrate with your existing identity management system running on Microsoft Active Directory, because your organization is a power-user of Active Directory. How should you manage your AWS identities in the most simple manner?

  • A. Use an AWS Directory Sync Domain running on AWS Lambda.
  • B. Use AWS Directory Sen/ice Simple AD.
  • C. Use AWS Directory Service AD Connector.
  • D. Use an Sync Domain running on AWS Directory Sen/ice.

Answer: C

Explanation:
Explanation
AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. A small AD Connector is designed for smaller organizations of up to 500 users. A large AD Connector can support larger organizations of up to 5,000 users.
Once set up, AD Connector offers the following benefits:
* Your end users and IT administrators can use their existing corporate credentials to log on to AWS applications such as Amazon Workspaces, Amazon WorkDocs, or Amazon WorkMail.
* You can manage AWS resources like Amazon EC2 instances or Amazon S3 buckets through 1AM role-based access to the AWS Management Console.
* You can consistently enforce existing security policies (such as password expiration, password history, and account lockouts) whether users or IT administrators are accessing resources in your on-premises infrastructure or in the AWS Cloud.
* You can use AD Connector to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.
For more information on the AD Connector, please visit the below URL:
* http://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_con nector.html


NEW QUESTION # 169
Developers are creating a new online transaction processing (OLTP) application for a small database that is
very read-write intensive. A single table in the database is updated continuously throughout the day, and the
developers want to ensure that the database performance is consistent.
Which Amazon EBS storage option will achieve the MOST consistent performance to help maintain
application performance?

  • A. Throughput Optimized HDD
  • B. General Purpose SSD
  • C. Provisioned IOPS SSD
  • D. Cold HDD

Answer: C


NEW QUESTION # 170
You are using a configuration management system to manage your Amazon EC2 instances. On your Amazon EC2 Instances, you want to store credentials for connecting to an Amazon RDS MYSQL DB instance. How should you securely store these credentials?

  • A. Assign an 1AM role to your Amazon EC2 instance, and use this 1AM role to access the Amazon RDS DB from your Amazon EC2 instances.
  • B. Launch an Amazon EC2 instance and use the configuration management system to bootstrap the instance with the Amazon RDS DB credentials. Create an AMI from this instance.
  • C. Store the Amazon RDS DB credentials in Amazon EC2 user data. Import the credentials into the Instance on boot.
  • D. Give the Amazon EC2 instances an 1AM role that allows read access to a private Amazon S3 bucket.
    Store a file with database credentials in the Amazon S3 bucket. Have your configuration management system pull the file from the bucket when it is needed.

Answer: A

Explanation:
Explanation
Creating and Using an 1AM Policy for 1AM Database Access
To allow an 1AM user or role to connect to your DB instance or DB cluster, you must create an 1AM policy.
After that you attach the policy to an 1AM user or role.
Note
To learn more about 1AM policies, see Authentication and Access Control for Amazon RDS.
The following example policy allows an 1AM user to connect to a DB instance using 1AM database authentication.

Important
Don't confuse the rds-db: prefix with other Amazon RDS action prefixes that begin with rds:. You use the rds-db: prefix and the rds-db:connect action only for 1AM database authentication. They aren't valid in any other context.
1AM Database Authentication for MySQL and Amazon Aurora
With Amazon RDS for MySQL or Aurora with MySQL compatibility, you can authenticate to your DB instance or DB cluster using AWS Identity and Access Management (IAMJ database authentication. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.
An authentication token is a unique string of characters that Amazon RDS generates on request.
Authentication tokens are generated using AWS Signature Version 4. Each token has a lifetime of 15 minutes.
You don't need to store user credentials in the database, because authentication is managed externally using
1AM. You can also still use standard database authentication.
IAM database authentication provides the following benefits:
* Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).
* You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance or DB cluster.
* For applications running on Amazon EC2, you can use EC2 instance profile credentials to access the database instead of a password, for greater security.
For more information please refer to the below document link from AWS
* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
* https://docs^ws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.lAMPolicy.htm You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account. Or you might want to allow a mobile app to use AWS resources, but not want to embed AWS keys within the app (where they can be difficult to rotate and where users can potentially extract them). Sometimes you want to give AWS access to users who already have identities defined outside of AWS, such as in your corporate directory. Or, you might want to grant access to your account to third parties so that they can perform an audit on your resources. For more information on 1AM Roles, please refer to the below document link: from AWS
* http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html


NEW QUESTION # 171
You are in charge of designing a number of Cloudformation templates for your organization. You need to ensure that no one can accidentally update the production based resources on the stack during a stack update.
How can this be achieved in the most efficient way?

  • A. Usea Stack based policy to protect the production based resources.
  • B. UseMFA to protect the resources
  • C. Createtags for the resources and then create 1AM policies to protect the resources.
  • D. UseS3 bucket policies to protect the resources.

Answer: A

Explanation:
Explanation
The AWS Documentation mentions
When you create a stack, all update actions are allowed on all resources. By default, anyone with stack update permissions can update all of the resources in the stack. During an update, some resources might require an interruption or be completely replaced, resulting in new physical IDs or completely new storage. You can prevent stack resources from being unintentionally updated or deleted during a stack update by using a stack policy. A stack policy is a JSON document that defines the update action1.-; that car1 be performed on designated resources.
For more information on protecting stack resources, please visit the below url
http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/protect-stack-resou rces.html


NEW QUESTION # 172
A Development team uses AWS CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the master branch when they are ready for production. A direct push to the master branch should not be allowed. The team applied the AWS managed policy AWSCodeCommitPowerUser to the Developers' IAM Rote, but now members are able to push to the master branch directly on every repository in the AWS account. What actions should be taken to restrict this?

  • A. Create an additional policy to include a deny rule for the codecommit:GitPush action, and include a restriction for the specific repositories in the resource statement with a condition for the master reference.
  • B. Create an additional policy to include an allow rule for the codecommit:GitPush action and include a restriction for the specific repositories in the resource statement with a condition for the feature branches reference.
  • C. Modify the IAM policy and include a deny rule for the codecommit:GitPush action for the specific repositories in the resource statement with a condition for the master reference.
  • D. Remove the IAM policy and add an AWSCodeCommitReadOnly policy. Add an allow rule for the codecommit:GitPush action for the specific repositories in the resource statement with a condition for the master reference.

Answer: B

Explanation:
https://aws.amazon.com/pt/blogs/devops/refining-access-to-branches-in-aws-codecommit/


NEW QUESTION # 173
......

AWS-DevOps dumps Exam Material with 275 Questions: https://www.examslabs.com/Amazon/AWS-Certified-DevOps-Engineer/best-AWS-DevOps-exam-dumps.html

AWS-DevOps DUMPS Q&As with Explanations Verified & Correct Answers: https://drive.google.com/open?id=1i55GvzzT8cO3Ge2-ulnwEzmusG6aYnwS

Related Articles

more
Go To AWS-DevOps Questions