AWS-DevOps-Engineer-Professional問題集、Amazon実際の試験問題

質問 1

What is web identity federation?

A. Use of an identity provider like Google or Facebook to exchange for temporary AWS security credentials.

B. Use of AWS IAM User tokens to log in as a Google or Facebook user.

C. Use of an identity provider like Google or Facebook to become an AWS IAM User.

D. Use of AWS STS Tokens to log in as a Google or Facebook user.

正解: A

解説: (PassTest メンバーにのみ表示されます)

質問 2

A company uses AWS CodePipeline to manage and deploy infrastructure as code. The infrastructure is defined in AWS CloudFormation templates and is primarily comprised of multiple Amazon EC2 instances and Amazon RDS databases. The Security team has observed many operators creating inbound security group rules with a source CIDR of 0 0 0 0/0 and would like to proactively stop the deployment of rules with open CIDRs The DevOps Engineer will implement a predeptoyment step that runs some security checks over the CloudFormation template before the pipeline processes it. This check should allow only inbound security group rules with a source CIDR of 0.0.0.0/0 if the rule has the description
"Security Approval Ref XXXXX (where XXXXX is a preallocated reference). The pipeline step should fail if this condition is not met and the deployment should be blocked How should this be accomplished?

A. Add an initial stage to CodePipeline called Security Check. This stage should call an AWS Lambda function that scans the CloudFormation template and fails the pipeline if it finds
0.0.0.0/0 in a security group without a description referencing a security approval

B. Modify the IAM role used by CodePipeline. The IAM policy should deny access.

C. Enable a SCP in AWS Organizations. The policy should deny access to the API call Create Security GroupRule if the rule specifies 0.0.0.0/0 without a description referencing a security approval

D. Create an AWS Config rule that is triggered on creation or edit of resource type EC2 SecurityGroup.
This rule should call an AWS Lambda function to send a failure notification if the security group has any rules with a source CIDR of 0.0.0.0/0 without a description referencing a security approval.

正解: A

質問 3

Your development team wants account-level access to production instances in order to do live debugging of a highly secure environment.
Which of the following should you do?

A. Place each developer's own public key into a private S3 bucket, use instance profiles and configuration management to create a user account for each developer on all instances, and place the user's public keys into the appropriate account.

B. Place an internally created private key into a secure S3 bucket with server-side encryption using customer keys and configuration management, create a service account on all the instances using this private key, and assign IAM users to each developer so they can download the file.

C. Place the credentials provided by Amazon Elastic Compute Cloud (EC2) into a secure Amazon Sample Storage Service (S3) bucket with encryption enabled.
Assign AWS Identity and Access Management (IAM) users to each developer so they can download the credentials file.

D. Place the credentials provided by Amazon EC2 onto an MFA encrypted USB drive, and physically share it with each developer so that the private key never leaves the office.

正解: A

質問 4

A company recently migrated its legacy application from on-premises to AWS. The application is hosted on Amazon EC2 instances behind an Application Load Balancer, which is behind Amazon API Gateway. The company wants to ensure users experience minimal disruptions during any deployment of a new version of the application. The company also wants to ensure it can quickly roll back updates if there is an issue.
Which solution will meet these requirements with MINIMAL changes to the application?

A. Introduce changes as a separate environment parallel to the existing one.
Update the application's DNS alias records to point to the new environment.

B. Introduce changes as a separate target group behind the existing Application Load Balancer.
Configure API Gateway to route user traffic to the new target group in steps.

C. Introduce changes as a separate target group behind the existing Application Load Balancer.
Configure API Gateway to route all traffic to the Application Load Balancer, which then sends the traffic to the new target group.

D. Introduce changes as a separate environment parallel to the existing one.
Configure API Gateway to use a canary release deployment to send a small subset of user traffic to the new environment.

正解: D

質問 5

You work for a company that automatically tags photographs using artificial neural networks (ANNs), which run on GPUs using C++. You receive millions of images at a time, but only 3 times per day on average. These images are loaded into an AWS S3 bucket you control for you in a batch, and then the customer publishes a JSON-formatted manifest into another S3 bucket you control as well. Each image takes 10 milliseconds to process using a full GPU. Your neural network software requires 5 minutes to bootstrap. Image tags are JSON objects, and you must publish them to an S3 bucket. Which of these is the best system architectures for this system?

A. Make an S3 notification configuration which publishes to AWS Lambda on the manifest bucket.
Make the Lambda create a CloudFormation Stack which contains the logic to construct an autoscaling worker tier of EC2 G2 instances with the ANN code on each instance. Create an SQS queue of the images in the manifest. Tear the stack down when the queue is empty.

B. Create an Auto Scaling, Load Balanced Elastic Beanstalk worker tier Application and Environment.
Deploy the ANN code to G2 instances in this tier. Set the desired capacity to 1. Make the code periodically check S3 for new manifests. When a new manifest is detected, push all of the images in the manifest into the SQS queue associated with the Elastic Beanstalk worker tier.

C. Deploy your ANN code to AWS Lambda as a bundled binary for the C++ extension. Make an S3 notification configuration on the manifest, which publishes to another AWS Lambda running controller code. This controller code publishes all the images in the manifest to AWS Kinesis.
Your ANN code Lambda Function uses the Kinesis as an Event Source. The system automatically scales when the stream contains image events.

D. Create an OpsWorks Stack with two Layers. The first contains lifecycle scripts for launching and bootstrapping an HTTP API on G2 instances for ANN image processing, and the second has an always-on instance which monitors the S3 manifest bucket for new files. When a new file is detected, request instances to boot on the ANN layer. When the instances are booted and the HTTP APIs are up, submit processing requests to individual instances.

正解: A

解説: (PassTest メンバーにのみ表示されます)

質問 6

A company wants to use Amazon DynamoDB for maintaining metadata on its forums. See the sample data set in the image below.

A DevOps Engineer is required to define the table schema with the partition key, the sort key, the local secondary index, projected attributes, and fetch operations. The schema should support the following example searches using the least provisioned read capacity units to minimize cost.
- Search within ForumName for items where the subject starts with `a'.
- Search forums within the given LastPostDateTime time frame.
- Return the thread value where LastPostDateTime is within the last
three months.
Which schema meets the requirements?

A. Use ForumName as the primary key and Subject as the sort key. Have LSI with Thread as the sort key and the projected attribute LastPostDateTime.

B. Use Subject as the primary key and ForumName as the sort key. Have LSI with LastPostDateTime as the sort key and fetch operations for thread.

C. Use ForumName as the primary key and Subject as the sort key. Have LSI with LastPostDateTime as the sort key and the projected attribute thread.

D. Use Subject as the primary key and ForumName as the sort key. Have LSI with Thread as the sort key and fetch operations for LastPostDateTime.

正解: C

解説: (PassTest メンバーにのみ表示されます)

質問 7

A company is using AWS CodePipeline to automate its release pipeline. AWS CodeDeploy is being used in the pipeline to deploy an application to Amazon ECS using the blue/green deployment model. The company wants to implement scripts to test the green version of the application before shifting traffic. These scripts will complete in 5 minutes or less. If errors are discovered during these tests, the application must be rolled back.
Which strategy will meet these requirements?

A. Add a stage to the CodePipeline pipeline between the source and deploy stages.
Use AWS CodeBuild to create an execution environment and build commands in the buildspec file to invoke test scripts.
If errors are found, use the aws deploy stop-deployment command to stop the deployment.

B. Add a stage to the CodePipeline pipeline between the source and deploy stages.
Use this stage to execute an AWS Lambda function that will run the test scripts.
If errors are found, use the aws deploy stop-deployment command to stop the deployment.

C. Add a hooks section to the CodeDeploy AppSpec file.
Use the AfterAllowTestTraffic lifecycle event to invoke an AWS Lambda function to run the test scripts.
If errors are found, exit the Lambda function with an error to trigger rollback.

D. Add a hooks section to the CodeDeploy AppSpec file.
Use the AfterAllowTraffic lifecycle event to invoke the test scripts.
If errors are found, use the aws deploy stop-deployment CLI command to stop the deployment.

正解: C

解説: (PassTest メンバーにのみ表示されます)

質問 8

A company wants to use AWS CloudFormation for infrastructure deployment. The company has strict tagging and resource requirements and wants to limit the deployment to two Regions.
Developers will need to deploy multiple versions of the same application.
Which solution ensures resources are deployed in accordance with company policy?

A. Create CloudFormation StackSets with approved CloudFormation templates.

B. Create AWS Service Catalog products with approved CloudFormation templates.

C. Create a CloudFormation drift detection operation to find and remediate unapproved CloudFormation StackSets.

D. Create AWS Trusted Advisor checks to find and remediate unapproved CloudFormation StackSets.

正解: A

解説: (PassTest メンバーにのみ表示されます)

質問 9

Your application stores sensitive information on an EBS volume attached to your EC2 instance.
How can you protect your information? Choose two answers from the options given below

A. Copy the unencrypted snapshot and check the box to encrypt the new snapshot. Volumes restored from this encrypted snapshot will also be encrypted.

B. Unmount the EBS volume, take a snapshot and encrypt the snapshot. Re-mount the Amazon EBS volume

C. It is not possible to encrypt an EBS volume, you must use a lifecycle policy to transfer data to S3 for encryption.

D. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.

正解: A,D

解説: (PassTest メンバーにのみ表示されます)

質問 10

A company has 100 GB of log data in an Amazon S3 bucket stored in .csv format. SQL developers want to query this data and generate graphs to visualize it. They also need an efficient, automated way to store metadata from the .csv file.
Which combination of steps should be taken to meet these requirements with the LEAST amount of effort? (Choose three.)

A. Use AWS Glue as the persistent metadata store.

B. Filter the data through AWS X-Ray to visualize the data.

C. Query the data with Amazon Redshift.

D. Use Amazon S3 as the persistent metadata store.

E. Query the data with Amazon Athena.

F. Filter the data through Amazon QuickSight to visualize the data.

正解: A,E,F

解説: (PassTest メンバーにのみ表示されます)

Amazon AWS Certified DevOps Engineer - Professional - AWS-DevOps-Engineer-Professional 模擬練習