{"id":93,"date":"2021-01-06T16:41:17","date_gmt":"2021-01-06T16:41:17","guid":{"rendered":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/aws-certified-solutions-architect-professional-sap-c01-question086\/"},"modified":"2021-01-06T16:41:17","modified_gmt":"2021-01-06T16:41:17","slug":"aws-certified-solutions-architect-professional-sap-c01-question086","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/aws-certified-solutions-architect-professional-sap-c01-question086\/","title":{"rendered":"AWS Certified Solutions Architect &#8211; Professional SAP-C01 &#8211; Question086"},"content":{"rendered":"<div class=\"question\">Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances.<br \/>\nWhich of the following strategies will help prevent a similar situation in the future?<br \/>\nThe administrator still must be able to: <\/p>\n<ul>\n<li>launch, start stop, and terminate development resources. <\/li>\n<li>launch and start production instances. <\/li>\n<\/ul>\n<p><strong><br \/>A.<\/strong> Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection. <br \/><strong>B.<\/strong> Leverage resource based tagging, along with an IAM user which can prevent specific users from terminating production, EC2 resources. <br \/><strong>C.<\/strong> Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances <br \/><strong>D.<\/strong> Create an IAM user and apply an IAM role which prevents users from terminating production EC2 instances.<\/div>\n<p><\/p>\n<style> .hidden-div{ display:none } <\/style>\n<p>\t\t\t\t\t\t\t<button onclick=\"getElementById('hidden-div').style.display = 'block'\"> Show Answer <\/button> <button onclick=\"getElementById('hidden-div').style.display = 'none'\">Hide Answer<\/button><\/p>\n<div class=\"hidden-div\" id=\"hidden-div\"><span style=\"\"><\/p>\n<div class=\"answer\">Correct Answer: <strong>B<\/strong><\/div>\n<p><strong>Explanation:<\/strong> <\/p>\n<div class=\"explanation\">\nExplanation: Working with volumes When an API action requires a caller to specify multiple resources, you must create a policy statement that allows users to access all required resources. If you need to use a Condition element with one or more of these resources, you must create multiple statements as shown in this example. The following policy allows users to attach volumes with the tag &#8220;volume_user=iam-user-name&#8221; to instances with the tag &#8220;department=dev&#8221;, and to detach those volumes from those instances. If you attach this policy to an IAM group, the aws:username policy variable gives each IAM user in the group permission to attach or detach volumes from the instances with a tag named volume_user that has his or her IAM user name as a value. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: [<br \/>\n &#8220;ec2:AttachVolume&#8221;,<br \/>\n &#8220;ec2:DetachVolume&#8221; ], &#8220;Resource&#8221;: &#8220;arn:aws:ec2:us-east-1:123456789012:instance\/*&#8221;, &#8220;Condition&#8221;: {<br \/>\n &#8220;StringEquals&#8221;: { &#8220;ec2:ResourceTag\/department&#8221;: &#8220;dev&#8221; }<br \/>\n } }, {<br \/>\n &#8220;Effect&#8221;: &#8220;Allow&#8221;,<br \/>\n &#8220;Action&#8221;: [ &#8220;ec2:AttachVolume&#8221;, &#8220;ec2:DetachVolume&#8221;<br \/>\n ], &#8220;Resource&#8221;: &#8220;arn:aws:ec2:us-east-1:123456789012:volume\/*&#8221;, &#8220;Condition&#8221;: {<br \/>\n &#8220;StringEquals&#8221;: { &#8220;ec2:ResourceTag\/volume_user&#8221;: &#8220;${aws:username}&#8221; } } }<br \/>\n ] } Launching instances (RunInstances) The RunInstances API action launches one or more instances. RunInstances requires an AMI and creates an instance; and users can specify a key pair and security group in the request. Launching into EC2-VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AMI creates a volume. Therefore, the user must have permission to use these Amazon EC2 resources. The caller can also configure the instance using optional parameters to RunInstances, such as the instance type and a subnet. You can create a policy statement that requires users to specify an optional parameter, or restricts users to particular values for a parameter. The examples in this section demonstrate some of the many possible ways that you can control the configuration of an instance that a user can launch. Note that by default, users don&#8217;t have permission to describe, start, stop, or terminate the resulting instances. One way to grant the users permission to manage the resulting instances is to create a specific tag for each instance, and then create a statement that enables them to manage instances with that tag. For more information, see 2: Working with instances.<br \/>\na. AMI The following policy allows users to launch instances using only the AMIs that have the specified tag, &#8220;department=dev&#8221;, associated with them. The users can&#8217;t launch instances using other AMIs because the Condition element of the first statement requires that users specify an AMI that has this tag. The users also can&#8217;t launch into a subnet, as the policy does not grant permissions for the subnet and network interface resources. They can, however, launch into EC2-Classic. The second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n&#8220;arn:aws:ec2:region::image\/ami-*&#8221; ], &#8220;Condition&#8221;: {<br \/>\n &#8220;StringEquals&#8221;: { &#8220;ec2:ResourceTag\/department&#8221;: &#8220;dev&#8221; }<br \/>\n } }, {<br \/>\n &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n&#8220;arn:aws:ec2:region:account:instance\/*&#8221;, &#8220;arn:aws:ec2:region:account:volume\/*&#8221;, &#8220;arn:aws:ec2:region:account:key-pair\/project_keypair&#8221;, &#8220;arn:aws:ec2:region:account:security-group\/sg-1a2b3c4d&#8221;<br \/>\n ] }<br \/>\n ] } Alternatively, the following policy allows users to launch instances using only the specified AMIs, ami-9e1670f7 and ami45cf5c3c. The users can&#8217;t launch an instance using other AMIs (unless another statement grants the users permission to do so), and the users can&#8217;t launch an instance into a subnet. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region::image\/ami-9e1670f7&#8221;, &#8220;arn:aws:ec2:region::image\/ami-45cf5c3c&#8221;, &#8220;arn:aws:ec2:region:account:instance\/*&#8221;, &#8220;arn:aws:ec2:region:account:volume\/*&#8221;, &#8220;arn:aws:ec2:region:account:key-pair\/*&#8221;, &#8220;arn:aws:ec2:region:account:security-group\/*&#8221;<br \/>\n ] }<br \/>\n ] } Alternatively, the following policy allows users to launch instances from all AMIs owned by Amazon. The Condition element of the first statement tests whether ec2:Owner is amazon. The users can&#8217;t launch an instance using other AMIs (unless another statement grants the users permission to do so). The users are able to launch an instance into a subnet. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n&#8220;arn:aws:ec2:region::image\/ami-*&#8221; ], &#8220;Condition&#8221;: {<br \/>\n &#8220;StringEquals&#8221;: { &#8220;ec2:Owner&#8221;: &#8220;amazon&#8221; }<br \/>\n } },<br \/>\n { &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n&#8220;arn:aws:ec2:region:account:instance\/*&#8221;, &#8220;arn:aws:ec2:region:account:subnet\/*&#8221;, &#8220;arn:aws:ec2:region:account:volume\/*&#8221;, &#8220;arn:aws:ec2:region:account:network-interface\/*&#8221;, &#8220;arn:aws:ec2:region:account:key-pair\/*&#8221;, &#8220;arn:aws:ec2:region:account:security-group\/*&#8221; ]<br \/>\n } ] }<br \/>\nb. Instance type The following policy allows users to launch instances using only the t2.micro or t2.small instance type, which you might do to control costs. The users can&#8217;t launch larger instances because the Condition element of the first statement tests whether ec2:InstanceType is either t2.micro or t2.small. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region:account:instance\/*&#8221; ], &#8220;Condition&#8221;: {<br \/>\n &#8220;StringEquals&#8221;: { &#8220;ec2:InstanceType&#8221;: [&#8220;t2.micro&#8221;, &#8220;t2.small&#8221;] }<br \/>\n } }, {<br \/>\n &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region::image\/ami-*&#8221;, &#8220;arn:aws:ec2:region:account:subnet\/*&#8221;, &#8220;arn:aws:ec2:region:account:network-interface\/*&#8221;, &#8220;arn:aws:ec2:region:account:volume\/*&#8221;, &#8220;arn:aws:ec2:region:account:key-pair\/*&#8221;, &#8220;arn:aws:ec2:region:account:security-group\/*&#8221; ]<br \/>\n }<br \/>\n ] } Alternatively, you can create a policy that denies users permission to launch any instances except t2.micro and t2.small instance types. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Deny&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region:account:instance\/*&#8221; ], &#8220;Condition&#8221;: {<br \/>\n &#8220;StringNotEquals&#8221;: { &#8220;ec2:InstanceType&#8221;: [&#8220;t2.micro&#8221;, &#8220;t2.small&#8221;] }<br \/>\n } }, {<br \/>\n &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region::image\/ami-*&#8221;, &#8220;arn:aws:ec2:region:account:network-interface\/*&#8221;, &#8220;arn:aws:ec2:region:account:instance\/*&#8221;,<br \/>\n &#8220;arn:aws:ec2:region:account:subnet\/*&#8221;, &#8220;arn:aws:ec2:region:account:volume\/*&#8221;, &#8220;arn:aws:ec2:region:account:key-pair\/*&#8221;, &#8220;arn:aws:ec2:region:account:security-group\/*&#8221; ]<br \/>\n } ] }<br \/>\nc. Subnet The following policy allows users to launch instances using only the specified subnet, subnet-12345678. The group can&#8217;t launch instances into any another subnet (unless another statement grants the users permission to do so). Users are still able to launch instances into EC2-Classic. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region:account:subnet\/subnet-12345678&#8221;, &#8220;arn:aws:ec2:region:account:network-interface\/*&#8221;, &#8220;arn:aws:ec2:region:account:instance\/*&#8221;, &#8220;arn:aws:ec2:region:account:volume\/*&#8221;, &#8220;arn:aws:ec2:region::image\/ami-*&#8221;, &#8220;arn:aws:ec2:region:account:key-pair\/*&#8221;, &#8220;arn:aws:ec2:region:account:security-group\/*&#8221;<br \/>\n ] }<br \/>\n ] } Alternatively, you could create a policy that denies users permission to launch an instance into any other subnet. The statement does this by denying permission to create a network interface, except where subnet subnet-12345678 is specified. This denial overrides any other policies that are created to allow launching instances into other subnets. Users are still able to launch instances into EC2-Classic. {<br \/>\n &#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<br \/>\n &#8220;Statement&#8221;: [{ &#8220;Effect&#8221;: &#8220;Deny&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region:account:network-interface\/*&#8221; ], &#8220;Condition&#8221;: {<br \/>\n &#8220;ArnNotEquals&#8221;: { &#8220;ec2:Subnet&#8221;: &#8220;arn:aws:ec2:region:account:subnet\/subnet-12345678&#8221; }<br \/>\n } }, {<br \/>\n &#8220;Effect&#8221;: &#8220;Allow&#8221;, &#8220;Action&#8221;: &#8220;ec2:RunInstances&#8221;, &#8220;Resource&#8221;: [<br \/>\n &#8220;arn:aws:ec2:region::image\/ami-*&#8221;, &#8220;arn:aws:ec2:region:account:network-interface\/*&#8221;, &#8220;arn:aws:ec2:region:account:instance\/*&#8221;, &#8220;arn:aws:ec2:region:account:subnet\/*&#8221;, &#8220;arn:aws:ec2:region:account:volume\/*&#8221;, &#8220;arn:aws:ec2:region:account:key-pair\/*&#8221;, &#8220;arn:aws:ec2:region:account:security-group\/*&#8221; ]<br \/>\n } ] }<\/div>\n<p><\/strong><\/span> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances. Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to: launch, start stop, and terminate development resources. launch and start production instances. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3,89],"class_list":["post-93","post","type-post","status-publish","format-standard","hentry","category-aws-certified-solutions-architect-professional-sap-c01","tag-aws-certified-solutions-architect-professional-sap-c01","tag-question-086"],"_links":{"self":[{"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/comments?post=93"}],"version-history":[{"count":0,"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/posts\/93\/revisions"}],"wp:attachment":[{"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/categories?post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exampracticetests.com\/aws\/Solutions_Architect-Professional_SAP-C01\/wp-json\/wp\/v2\/tags?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}