4.3.5. Sample Questions - Domain 5: Incident & Event Response

Question 1:

A company uses AWS Lambda functions for processing real-time data streams. They need to implement a mechanism to automatically trigger a Lambda function whenever new data arrives in an Amazon S3 bucket. Which AWS service should be configured to achieve this event-driven invocation?

A) Amazon SQS B) Amazon SNS C) Amazon EventBridge D) S3 Event Notifications

Correct Answer: D

Explanation:

• D) S3 Event Notifications: Amazon S3 can be configured to send notifications to various destinations (including Lambda functions, SQS queues, or SNS topics) when certain events occur in a bucket, such as s3:ObjectCreated:*. This is the most direct and native way to trigger a Lambda function in response to new objects being uploaded to an S3 bucket, aligning with the First Principle of Event-Driven Architecture and Loose Coupling.

Question 2:

A DevOps team wants to automate the remediation of non-compliant AWS resources. For example, if an S3 bucket is created without encryption enabled, they want a Lambda function to automatically enable default encryption on that bucket. Which AWS service combination can be used to detect this non-compliance and trigger the automated remediation?

A) AWS CloudTrail and Amazon SNS B) AWS Config and AWS Lambda C) Amazon CloudWatch and AWS Systems Manager D) AWS Security Hub and Amazon SQS

Correct Answer: B

Explanation:

• B) AWS Config and AWS Lambda: AWS Config continuously monitors and records your AWS resource configurations and evaluates them against desired configurations using Config Rules. When a resource is found to be non-compliant (e.g., an S3 bucket without encryption), AWS Config can trigger an AWS Lambda function to perform automated remediation actions, such as enabling encryption. This aligns with the First Principle of Automated Governance and Compliance as Code.