C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

Amazon DOP-C02 - AWS Certified DevOps Engineer- Professional Certification Exam

Download Exam View Entire Exam
Page: 1 / 3
Question #1 (Topic: demo questions)

A company has multiple accounts in an organization in AWS Organizations. The company's
SecOps team needs to receive an Amazon Simple Notification Service (Amazon SNS)
notification if any account in the organization turns off the Block Public Access feature on
an Amazon S3 bucket. A DevOps engineer must implement this change without affecting
the operation of any AWS accounts. The implementation must ensure that individual
member accounts in the organization cannot turn off the notification. Which solution will
meet these requirements?

A.
Designate an account to be the delegated Amazon GuardDuty administrator account.
Turn on GuardDuty for all accounts across the organization. In the GuardDuty administrator
account, create an SNS topic. Subscribe the SecOps team's email address to the SNS topic. In the same
account, create an Amazon EventBridge rule that uses an event pattern for GuardDuty findings and a
target of the SNS topic.
B.
Create an AWS CloudFormation template that creates an SNS topic and subscribes the
SecOps team’s email address to the SNS topic. In the template, include an Amazon EventBridge rule uses an event pattern of CloudTrail activity for s3: PutBucketPublicAccessBlock and a target of the SNS topic. Deploy the stack to every account in the organization by using CloudFormation StackSets.
C.
Turn on AWS Config across the organization. In the delegated administrator account, create an SNS
topic. Subscribe the SecOps team's email address to the SNS topic. Deploy a conformance pack that
uses the s3-bucket-level-public-access-prohibited AWS Config managed rule in each account and
uses an AWS Systems Manager document to publish an event to the SNS topic to notify the SecOps
team.
D.
Turn on Amazon Inspector across the organization. In the Amazon Inspector delegated
administrator account, create an SNS topic. Subscribe the SecOps team’s email address to the SNS
topic. In the same account, create an Amazon EventBridge rule that uses an event pattern for public
network exposure of the S3 bucket and publishes an event to the SNS topic to notify the SecOps
team
Correct Answer: C
Explanation:
Amazon GuardDuty is primarily on threat detection and response, not configuration monitoring A
conformance pack is a collection of AWS Config rules and remediation actions that can be easily
deployed as a single entity in an account and a Region or across an organization in AWS
Organizations. 
Question #2 (Topic: demo questions)

A company has an organization in AWS Organizations. The organization includes workload accounts
that contain enterprise applications. The company centrally manages users from an operations
account. No users can be created in the workload accounts. The company recently added an
operations team and must provide the operations team members with administrator access to each
workload account.
Which combination of actions will provide this access? (Choose three.)

A.
Create a SysAdmin role in the operations account. Attach the AdministratorAccess policy to the
role. Modify the trust relationship to allow the sts:AssumeRole action from the workload accounts.

B.
Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the
role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account.

C.
Create an Amazon Cognito identity pool in the operations account. Attach the SysAdmin role as an
authenticated role.

D.
In the operations account, create an IAM user for each operations team member.

E.
In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy
that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all
operations team members to the group.

F.
Create an Amazon Cognito user pool in the operations account. Create an Amazon Cognito user for
each operations team member.
Correct Answer: B, D, E
Explanation:

 Since the company manages users centrally in the operations account and does not allow users in workload accounts, the proper AWS cross-account access design is to create an IAM user for each operations team member in the operations account (D), create a SysAdmin role with the AdministratorAccess policy in each workload account and configure its trust policy to allow the operations account to assume it (B), and create a SysAdmins IAM group in the operations account with permissions to perform sts:AssumeRole on the SysAdmin roles in all workload accounts (E). This allows operations team members to authenticate once in the operations account and then assume administrator roles in the workload accounts without creating local users there, which follows AWS security best practices for centralized identity management.
Question #3 (Topic: demo questions)
A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon
EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
aOccasionally, some application servers are being terminated after failing ELB HTTP health checks. The
developer would like to perform a root cause analysis on the issue, but before being able to access
application logs, the server is terminated.
How can log collection be automated?


A.
Use Auto Scaling lifecycle hooks to put instances in a Pending:Wait state. Create an Amazon
CloudWatch alarm for EC2 Instance Terminate Successful and trigger an AWS Lambda function that
invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the
lifecycle action once logs are collected.

B.
Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an AWS Config
rule for EC2 Instance-terminate Lifecycle Action and trigger a step function that invokes a script to
collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

C.
Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon
CloudWatch subscription filter for EC2 Instance Terminate Successful and trigger a CloudWatch agent
that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once
logs are collected.

D.
Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait state. Create an Amazon
EventBridge rule for EC2 Instance-terminate Lifecycle Action and trigger an AWS Lambda function
that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the
lifecycle action once logs are collected.
Correct Answer: D
Explanation:
When an instance in an Auto Scaling group is about to be terminated, you can use an Auto Scaling lifecycle hook to place it in the Terminating:Wait state, which delays termination and provides time to perform custom actions. An Amazon EventBridge rule can capture the EC2 Instance-terminate Lifecycle Action event and trigger an AWS Lambda function. The Lambda function can then use AWS Systems Manager (SSM) Run Command to execute a script on the instance, collect the application logs, and upload them to Amazon S3. After the logs are safely stored, the Lambda function calls CompleteLifecycleAction to allow the instance termination to proceed. This is the recommended AWS-native solution for automatically preserving logs from instances that are being terminated, making D the correct answer.
Question #4 (Topic: demo questions)

A company hosts a security auditing application in an AWS account. The auditing application uses an
IAM role to access other AWS accounts. All the accounts are in the same organization in AWS
Organizations.
A recent security audit revealed that users in the audited AWS accounts could modify or delete the
auditing application's IAM role. The company needs to prevent any modification to the auditing
application's IAM role by any entity other than a trusted administrator IAM role.
Which solution will meet these requirements?

A.
Create an SCP that includes a Deny statement for changes to the auditing application's IAM role.
Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP
to the root of the organization.

B.
Create an SCP that includes an Allow statement for changes to the auditing application's IAM role
by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM
principals. Attach the SCP to the IAM service in each AWS account where the auditing application has
an IAM role.

C.
Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application's IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the audited AWS accounts.

D.
Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application’s IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the auditing application's IAM role in the AWS
accounts.
Correct Answer: A
Explanation:
SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level,
which in this case would be used to restrict modifications to the IAM role used by the auditing
application, while still allowing trusted administrators to make changes to it. Options C and D are not
as effective because IAM permission boundaries are applied to IAM entities (users, groups, and
roles), not the account itself, and must be applied to all IAM entities in the account.
Question #5 (Topic: demo questions)

A company has an AWS CodePipeline pipeline that is configured with an Amazon S3 bucket in the eu￾west-1 Region. The pipeline deploys an AWS Lambda application to the same Region. The pipeline
consists of an AWS CodeBuild project build action and an AWS CloudFormation deploy action.
The CodeBuild project uses the aws cloudformation package AWS CLI command to build an artifact
that contains the Lambda function code’s .zip file and the CloudFormation template. The
CloudFormation deploy action references the CloudFormation template from the output artifact of
the CodeBuild project’s build action.
The company wants to also deploy the Lambda application to the us-east-1 Region by using the
pipeline in eu-west-1. A DevOps engineer has already updated the CodeBuild project to use the aws
cloudformation package command to produce an additional output artifact for us-east-1.
Which combination of additional steps should the DevOps engineer take to meet these
requirements? (Choose two.)

A.
Modify the CloudFormation template to include a parameter for the Lambda function code’s zip
file location. Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the
new deploy action to pass in the us-east-1 artifact location as a parameter override.

B.
Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the new
deploy action to use the CloudFormation template from the us-east-1 output artifact.

C.
Create an S3 bucket in us-east-1. Configure the S3 bucket policy to allow CodePipeline to have
read and write access.
D.
Create an S3 bucket in us-east-1. Configure S3 Cross-Region Replication (CRR) from the S3 bucket
in eu-west-1 to the S3 bucket in us-east-1.
E.
Modify the pipeline to include the S3 bucket for us-east-1 as an artifact store. Create a new
CloudFormation deploy action for us-east-1 in the pipeline. Configure the new deploy action to use
the CloudFormation template from the us-east-1 output artifact.
Next Question
Correct Answer: A, B
Explanation:
A) The CloudFormation template should be modified to include a parameter that indicates the
location of the .zip file containing the Lambda function's code. This allows the CloudFormation
deploy action to use the correct artifact depending on the region. This is critical because Lambda
functions need to reference their code artifacts from the same region they are being deployed in. B.
You would also need to create a new CloudFormation deploy action for the us-east-1 Region within
the pipeline. This action should be configured to use the CloudFormation template from the artifact
that was specifically created for us-east-1.