A company needs to deploy virtual desktops to its customers in a virtual private cloud, leveraging existing security controls. Which set of AWS services and features will meet the company's requirements?
Correct Answer:C
My Read Replica appears "stuck" after a MuIti-AZ failover and is unable to obtain or apply updates from the source DB Instance. What do I do?
Correct Answer:A
By default, EBS volumes that are created and attached t o an instance at launch are deleted when t hat instance is terminated. You can modify this behavior by changing the value of the flag _ to false when you launch the instance
Correct Answer:A
Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances.
Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to:
- launch, start stop, and terminate development resources.
- launch and start production instances.
Correct Answer:B
Working with volumes
When an API action requires a caller to specify multiple resources, you must create a policy statement that allows users to access all required resources. If you need to use a Condition element with one or more of these resources, you must create multiple statements as shown in this example.
The following policy allows users to attach volumes with the tag "volume_user=iam-user-name" to instances with the tag "department=dev", and to detach those volumes from those instances. If you attach this policy to an IAM group, the aws:username policy variable gives each IAM user in the group permission to attach or detach volumes from the instances with a tag named voIume_ user that has his or her IAM user name as a value.
{
"Version": "2012-10-I7",
"Statement": [{
"Effect": "A||ow", "Action": [ "ec2:AttachVoIume",
"ec2:DetachVoIume" I,
"Resource": "arn :aws:ec2:us-east-1:123456789012:instanee/*", "Condition": {
"StringEqua|s": { "ec2:ResourceTag/department": "dev" I
I I,
{
"Effect": "A||ow", "Action": [ "ec2:AttachVoIume", "ec2:DetachVoIume" I,
"Resource": "arn:aws:ec2:us-east-1:123456789012:voIume/*", "Condition": {
"StringEqua|s": {
"ec2:ResourceTag/voIume_user": "${aws:username}" I
I I I I
Launching instances (Runlnstances)
The Runlnstances API action launches one or more instances. Runlnstances requires an AM and creates an instance; and users can specify a key pair and security group in the request. Launching into EC2-VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AM creates a volume. Therefore, the user must have permission to use these Amazon EC2 resources. The caller can also configure the instance using optional parameters to Run Instances, such as the instance type and a subnet. You can create a policy statement that requires users to specify an optional parameter, or restricts users to particular values for a parameter. The examples in this section demonstrate some of the many possible ways that you can control the configuration of an instance that a user can launch.
Note that by default, users don't have permission to describe, start, stop, or terminate the resulting instances. One way to grant the users permission to manage the resulting instances is to create a specific tag for each instance, and then create a statement that enables them to manage instances with that tag. For more information, see 2: Working with instances.
a. AMI
The following policy allows users to launch instances using only the AM|s that have the specified tag, "department=dev", associated with them. The users can't launch instances using other ANI Is because the Condition element of the first statement requires that users specify an AM that has this tag. The users also can't launch into a subnet, as the policy does not grant permissions for the subnet and network interface resources. They can, however, launch into EC2-Ciassic. The second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair
project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair.
{
"Version": "2012-10-I7",
"Statement": [{ I,
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" I,
"Condition": { "StringEqua|s": {
"ec2:ResourceTag/department": "dev" I
I I,
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*",
"arn:aws:ec2:region:account:key-pair/project_keypair",
"arn :aws :ec2: region: account:security-group/sg-1a 2b3c4d" I
I
}
Alternatively, the following policy allows users to launch instances using only the specified AMIs, ami-9e1670f7 and ami-45cf5c3c. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so), and the users can't launch an instance into a subnet.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [
"arn:aws:ec2:region::image/ami-9e1670f7", "arn:aws:ec2:region::image/ami-45cf5c3c", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
Alternatively, the following policy allows users to launch instances from all AMs owned by Amazon. The Condition element of the first statement tests whether ec2:0wner is amazon. The users can't launch an instance using other AM Is (unless another statement grants the users permission to do so).
The users are able to launch an instance into a subnet. "Version": "2012-10-17",
"Statement": [{
"Effect": "A| low",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" l,
"Condition": { "StringEqua|s": { "ec2:0wner": "amazon"
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource" : [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:voIume/*",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
I
} I
}
b. Instance type
The following policy allows users to launch instances using only the t2.micro or t2.sma|I instance type, which you might do to control costs. The users can't launch larger instances because the Condition element of the first statement tests whether ec2:1nstanceType is either t2.micro or t2.smaII.
{
"Version": "2012-10-I7",
"Statement": [{
"Effect": "A| low",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" I,
"Condition": { "StringEqua|s": {
"ec2:1nstanceType": ["t2.micro", "t2.smaII"]
}
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:subnet/*",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
I
} I
}
Alternatively, you can create a policy that denies users permission to launch any instances except t2.micro and t2.sma|I instance types.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" l,
"Condition": { "StringNotEqua|s": {
"ec2:1nstanceType": ["t2.micro", "t2.smaII"]
}
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*",
"arn:aws:ec2:region:account:network-interface/* "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
c. Subnet
The following policy allows users to launch instances using only the specified subnet, subnet-12345678. The group can't launch instances into any another subnet (unless another statement grants the users permission to do so). Users are still able to launch instances into EC2-Ciassic.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [
"arn :aws :ec2: region:account:subnet/subnet-123456 78",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
Alternatively, you could create a policy that denies users permission to launch an instance into any other subnet. The statement does this by denying permission to create a network interface, except where subnet subnet-12345678 is specified. This denial overrides any other policies that are created to allow launching instances into other subnets. Users are still able to launch instances into EC2-Classic.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances", "Resource": [
"arn:aws:ec2:region:account:network-interface/*" l,
"Condition": { "ArnNotEquaIs": {
"ec2:Subnet": "arn :aws:ec2:region:account:subnet/subnet-12345678"
}
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
What does Amazon EC2 provide?
Correct Answer:A