Amazon Amazon Certifications ANS-C00 Questions & Answers

• Question 291:

  Each custom AWS Config rule you create must be associated with a(n) AWS ____, which contains the logic that evaluates whether your AWS resources comply with the rule.

  A. Lambda function

  B. Configuration trigger

  C. EC2 instance

  D. S3 bucket

  Correct Answer: A

  Explanation: You can develop custom AWS Config rules to be evaluated by associating each of them with an AWS Lambda function, which contains the logic that evaluates whether your AWS resources comply with the rule. You associate this function with your rule, and the rule invokes the function either in response to configuration changes or periodically. The function then evaluates whether your resources comply with your rule, and sends its evaluation results to AWS Config.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html

• Question 292:

  AWS Config flags a resource as ____ if a resource violates any conditions of an AWS Config rule that it evaluates on the resource in question.

  A. corrupted

  B. noncompliant

  C. invalid

  D. misconfigured

  Correct Answer: B

  Explanation:

  Use AWS Config to evaluate the configuration settings of your AWS resources. You do this by creating

  AWS Config rules, which represent your ideal configuration settings. AWS Config provides customizable,

  predefined rules called managed rules to help you get started. You can also create your own custom rules.

  While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html

• Question 293:

  Which AWS service is used within an AWS Config Rule to perform the logic evaluation of that rule?

  A. Inspector

  B. WAF

  C. Lambda

  D. SWF

  Correct Answer: C

  Explanation: AWS Config Rules are a great way to help you enforce specific compliance controls and checks across your resources and allows for you to adopt an `ideal' deployment specification for each of your resource types. Each Rule is simply a Lambda function that when called upon evaluates the resource and carries out some simply logic to determine the compliance result with the rule.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_developrules_nodejs-sample.html

• Question 294:

  Which element of AWS Config can be used to help maintain internal and external compliance controls?

  A. Configuration Item

  B. Configuration Recorder

  C. Configuration Streams

  D. Config Rules

  Correct Answer: D

  Explanation: AWS Config allows you to utilise Config Rules to help you manage and organise this compliance which acts as an automatic resource compliance checker. When a change is made to a resource, AWS Config will check to see if the resource matches a rule, and if so it will check the compliance of that resource against the rule following the changes made.

  Reference: https://aws.amazon.com/config/

• Question 295:

  Non-compliant resources identified through the use of AWS Config Rules are automatically removed from operational service.

  A. It depends on the Rule configuration

  B. Only if it remains non-compliant for more than 6 hours

  C. True

  D. False

  Correct Answer: D

  Explanation: Each time a change is made to one of your supported resources, AWS config will check its compliance against any Config Rules that you have in place. If there is a violation against these rules then AWS Config will send a message to the Configuration Stream via SNS and the resource will be marked as `noncompliant'.

  It's important to note that this does not mean the resource will be taken out of service or it will stop working. It will continue to operate exactly as it is with its new configuration. AWS Config simply alerts you that there is a violation and it's up to you to take the appropriate action.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_viewcompliance.html

• Question 296:

  Which other AWS service is used to track `Related Events' within the Configuration Item?

  A. AWS WAF

  B. SQS

  C. AWS CloudTrail

  D. S3

  Correct Answer: C

  Explanation:

  `Related Events' displays the AWS CloudTrail event ID that is related to the change that triggered the

  creation of the CI. There is a new CI made for every change made against a resource. As a result a

  different CloudTrail event IDs will be created. This allows you you to deep-dive into who or what and when

  made the change that triggered this CI. A great feature allowing for some great analysis to be taken,

  specifically when this affects security resources.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/resource-configreference.html#config-item-table

• Question 297:

  An AWS Config rule can be set to be evaluated if a certain set of resources undergoes a configuration change. The set of resources to which the rule applies can be restricted by the rule's ____, which can include a combination of a resource type and a resource ID, for example.

  A. trigger

  B. domain

  C. manifest

  D. scope

  Correct Answer: D

  Explanation:

  When you add an AWS Config rule to your account, you can specify when you want AWS Config to run the

  rule; this is called a trigger. AWS Config evaluates your resource configurations against the rule when the

  trigger occurs. You choose which resources trigger the evaluation by defining the rule's scope. The scope

  can include the following:

  One or more resource types

  A combination of a resource type and a resource ID A combination of a tag key and value.

  When any recorded resource is created, updated, or deleted AWS Config runs the evaluation when it

  detects a change to a resource that matches the rule's scope. You can use the scope to constrain which

  resources trigger evaluations. Otherwise, evaluations are triggered when any recorded resource changes.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html

• Question 298:

  You can use the ____ page of the AWS Config console to look up resources that AWS Config has discovered, including deleted resources and resources that are not currently being recorded.

  A. snapshot listing

  B. configuration history

  C. resource inventory

  D. resource database

  Correct Answer: C

  Explanation: You can use the AWS Config console, AWS CLI, and AWS Config API to look up the resources that AWS Config has taken an inventory of, or discovered, including deleted resources and resources that AWS Config is not currently recording. AWS Config discovers supported resource types only. You can use the AWS Config console in the AWS Management console to look up these resources. The Resource Inventory page lets you perform this search.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/looking-up-discoveredresources.html

• Question 299:

  When using AWS Config, which two items are stored on S3 as a part of its operation?

  A. Configuration Items and Configuration History

  B. Configuration Recorder and Configuration Snapshots

  C. Configuration History and Configuration Snapshots

  D. Configuration Snapshots and Configuration Streams

  Correct Answer: C

  Explanation: S3 is used to store the Configuration History files and any Configuration Snapshots of your data within a single bucket, which is defined within the Configuration Recorder. You can get AWS Config to create a new bucket for you and select an existing bucket. If you have multiple AWS accounts you may want to aggregate your Configuration History and Snapshot files into the same S3 Bucket for your primary account, just be aware that this can be achieved. However, you will need to grant write access for the service principal (config.amazonaws.com) in your other accounts write access to the S3 bucket.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-items

• Question 300:

  When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains a(n) ____ attribute, which is a JSON-formatted set of key/value pairs the receiving AWS Lambda function processes as part of its evaluation logic.

  A. inputParameters

  B. invokingEvent

  C. ruleConfiguration

  D. mappingTemplate

  Correct Answer: A

  Explanation: The JSON object for an AWS Config event contains a ruleParameters attribute, which is a set of key/value pairs that the AWS Lambda function receiving the event processes as part of its evaluation logic. You define parameters when you use the AWS Config console to create a custom rule. You can also define parameters with the InputParameters attribute in the PutConfigRule AWS Config API request or the put-config-rule AWS CLI command. The JSON code for the parameters is contained within a string, so a function must parse the string with a JSON parser to be able to evaluate its contents

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_exa mple-events.html