DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

 Impact of Removing FullAWSAccess and Adding Policy for EC2 Actions:

The FullAWSAccess policy allows all actions on all resources by default. Removing this policy from the Department OU will limit the permissions that accounts within this OU inherit from the parent OU.

Adding a policy that allows only Amazon EC2 API operations will restrict the permissions to EC2 actions only.

 Permissions of Administrative IAM Roles:

The administrative IAM roles in the Engineering OU have the AdministratorAccess policy attached, which grants full access to all AWS services and resources.

Since SCPs are restrictions that apply at the organizational level, removing FullAWSAccess and replacing it with a policy allowing only EC2 actions means that for all accounts in the Engineering OU:

They will have full access to EC2 actions due to the new SCP.

They will be restricted in other actions that are not covered by the SCP, hence, non-EC2 API actions will be denied.

 Conclusion:

All API actions on EC2 resources will be allowed.

All other API actions will be denied due to the absence of a broader allow policy.

 Configure AWS Systems Manager on Each Instance:

AWS Systems Manager provides a unified interface for managing AWS resources. Install the Systems Manager agent on each EC2 instance to enable inventory management and other features.

 Use AWS Systems Manager Inventory:

Systems Manager Inventory collects metadata about your instances and the software installed on them. This data includes information about applications, network configurations, and more.

Enable Systems Manager Inventory on all EC2 instances to gather detailed information about installed applications.

 Use Systems Manager Resource Data Sync to Synchronize and Store Findings in an Amazon S3 Bucket:

Resource Data Sync aggregates inventory data from multiple accounts and regions into a single S3 bucket, making it easier to query and analyze the data.

Configure Resource Data Sync to automatically transfer inventory data to an S3 bucket for centralized storage.

 Create an AWS Lambda Function that Runs When New Objects are Added to the S3 Bucket:

Use an S3 event to trigger a Lambda function whenever new inventory data is added to the S3 bucket.

The Lambda function can parse the inventory data and check for the presence of prohibited applications.

 Configure the Lambda Function to Identify Prohibited Applications:

The Lambda function should be programmed to scan the inventory data for any known prohibited applications and generate alerts or take appropriate actions if such applications are found.

Example Lambda function in Python

import json

import boto3

def lambda_handler(event, context):

s3 = boto3.client( ' s3 ' )

bucket = event[ ' Records ' ][0] [ ' s3 ' ][ ' bucket ' ][ ' name ' ]

key = event[ ' Records ' ][0] [ ' s3 ' ][ ' object ' ][ ' key ' ]

response = s3.get_object(Bucket=bucket, Key=key)

inventory_data = json.loads(response[ ' Body ' ].read().decode( ' utf-8 ' ))

prohibited_apps = [ ' app1 ' , ' app2 ' ]

for instance in inventory_data[ ' Instances ' ]:

for app in instance[ ' Applications ' ]:

if app[ ' Name ' ] in prohibited_apps:

# Send notification or take action

print(f " Prohibited application found: {app[ ' Name ' ]} on instance {instance[ ' InstanceId ' ]} " )

return { ' statusCode ' : 200, ' body ' : json.dumps( ' Check completed ' )}

By leveraging AWS Systems Manager Inventory, Resource Data Sync, and Lambda, this solution provides an efficient and automated way to audit EC2 instances for prohibited applications.