A company's security policy requires incoming SSH traffic to be restricted to a defined set of addresses. The company is using an AWS Config rule to check whether security groups allow unrestricted incoming SSH traffic.
A CloudOps engineer discovers a noncompliant resource and fixes the security group manually. The CloudOps engineer wants to automate the remediation of other noncompliant resources.
What is the MOST operationally efficient solution that meets these requirements?

1. A. Create a CloudWatch alarm for the AWS Config rule and invoke a Lambda function to remediate.
2. B. Configure an automatic remediation action on the AWS Config rule using AWS- DisableIncomingSSHOnPort22.
3. C. Create an EventBridge rule for AWS Config events and invoke a Lambda function.
4. D. Run a scheduled Lambda function to inspect and remediate security groups.

Correct Answer: B

A company runs applications on Amazon EC2 instances. The company wants to ensure that SSH ports on the EC2 instances are never open. The company has enabled AWS Config and has set up the restricted-ssh AWS managed rule.
A CloudOps engineer must implement a solution to remediate SSH port access for noncompliant security groups.
What should the engineer do to meet this requirement with the MOST operational efficiency?

1. A. Configure the AWS Config rule to identify noncompliant security group
2. B. Configure the rule to use the AWS-PublishSNSNotification AWS Systems Manager Automation runbook to send notifications about noncompliant resources.
3. C. Configure the AWS Config rule to identify noncompliant security group
4. D. Configure the rule to use the AWS-DisableIncomingSSHOnPort22 AWS Systems Manager Automation runbook to remediate noncompliant resources.
5. E. Make an AWS Config API call to search for noncompliant security group
6. F. Disable SSH access for noncompliant security groups by using a Deny rule.
7. G. Configure the AWS Config rule to identify noncompliant security group
8. H. Manually update each noncompliant security group to remove the Allow rule.

Correct Answer: B

A company has a microservice that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). A CloudOps engineer must use Amazon Route 53 to create a record that maps the ALB URL to example.com.
Which type of Route 53 record will meet this requirement?

1. A. An A record
2. B. An AAAA record
3. C. An alias record
4. D. A CNAME record

Correct Answer: C

A company plans to run a public web application on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. The company??s security team wants to protect the website by using AWS Certificate Manager (ACM) certificates. The load balancer must automatically redirect any HTTP requests to HTTPS.
Which solution will meet these requirements?

1. A. Create an Application Load Balancer that has one HTTPS listener on port 80. Attach an SSL/TLS certificate to port 80.
2. B. Create an Application Load Balancer that has one HTTP listener on port 80 and one HTTPS listener on port 443. Attach an SSL/TLS certificate to port 443. Create a rule to redirect requests from port 80 to port 443.
3. C. Create an Application Load Balancer that has two TCP listeners on ports 80 and 443. Attach an SSL/TLS certificate to port 443.
4. D. Create a Network Load Balancer with TCP listeners on ports 80 and 443. Attach an SSL/TLS certificate to port 443.

Correct Answer: B

A company runs a retail website on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The company must secure traffic to the website over an HTTPS connection.
Which combination of actions should a SysOps administrator take to meet these requirements? (Select TWO.)

1. A. Attach the certificate to each EC2 instance.
2. B. Attach the certificate to the ALB.
3. C. Create a private certificate in AWS Certificate Manager (ACM).
4. D. Create a public certificate in AWS Certificate Manager (ACM).
5. E. Export the certificate, and attach it to the website.

Correct Answer: BD