Amazon DOP-C02 - AWS Certified DevOps Engineer- Professional Certification Exam
Question #1 (Topic: demo questions)
A company has multiple accounts in an organization in AWS Organizations. The company's
SecOps team needs to receive an Amazon Simple Notification Service (Amazon SNS)
notification if any account in the organization turns off the Block Public Access feature on
an Amazon S3 bucket. A DevOps engineer must implement this change without affecting
the operation of any AWS accounts. The implementation must ensure that individual
member accounts in the organization cannot turn off the notification. Which solution will
meet these requirements?
Correct Answer: C
Explanation:
Amazon GuardDuty is primarily on threat detection and response, not configuration monitoring A
Amazon GuardDuty is primarily on threat detection and response, not configuration monitoring A
conformance pack is a collection of AWS Config rules and remediation actions that can be easily
deployed as a single entity in an account and a Region or across an organization in AWS
Organizations.
Question #2 (Topic: demo questions)
A company has an organization in AWS Organizations. The organization includes workload accounts
that contain enterprise applications. The company centrally manages users from an operations
account. No users can be created in the workload accounts. The company recently added an
operations team and must provide the operations team members with administrator access to each
workload account.
Which combination of actions will provide this access? (Choose three.)
Correct Answer: B, D, E
Explanation:
Question #3 (Topic: demo questions)
A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon
EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
aOccasionally, some application servers are being terminated after failing ELB HTTP health checks. The
developer would like to perform a root cause analysis on the issue, but before being able to access
application logs, the server is terminated.
How can log collection be automated?
Correct Answer: D
Explanation:
When an instance in an Auto Scaling group is about to be terminated, you can use an Auto Scaling lifecycle hook to place it in the Terminating:Wait state, which delays termination and provides time to perform custom actions. An Amazon EventBridge rule can capture the EC2 Instance-terminate Lifecycle Action event and trigger an AWS Lambda function. The Lambda function can then use AWS Systems Manager (SSM) Run Command to execute a script on the instance, collect the application logs, and upload them to Amazon S3. After the logs are safely stored, the Lambda function calls CompleteLifecycleAction to allow the instance termination to proceed. This is the recommended AWS-native solution for automatically preserving logs from instances that are being terminated, making D the correct answer.
Question #4 (Topic: demo questions)
A company hosts a security auditing application in an AWS account. The auditing application uses an
IAM role to access other AWS accounts. All the accounts are in the same organization in AWS
Organizations.
A recent security audit revealed that users in the audited AWS accounts could modify or delete the
auditing application's IAM role. The company needs to prevent any modification to the auditing
application's IAM role by any entity other than a trusted administrator IAM role.
Which solution will meet these requirements?
Correct Answer: A
Explanation:
SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level,
SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level,
which in this case would be used to restrict modifications to the IAM role used by the auditing
application, while still allowing trusted administrators to make changes to it. Options C and D are not
as effective because IAM permission boundaries are applied to IAM entities (users, groups, and
roles), not the account itself, and must be applied to all IAM entities in the account.
Question #5 (Topic: demo questions)
A company has an AWS CodePipeline pipeline that is configured with an Amazon S3 bucket in the euwest-1 Region. The pipeline deploys an AWS Lambda application to the same Region. The pipeline
consists of an AWS CodeBuild project build action and an AWS CloudFormation deploy action.
The CodeBuild project uses the aws cloudformation package AWS CLI command to build an artifact
that contains the Lambda function code’s .zip file and the CloudFormation template. The
CloudFormation deploy action references the CloudFormation template from the output artifact of
the CodeBuild project’s build action.
The company wants to also deploy the Lambda application to the us-east-1 Region by using the
pipeline in eu-west-1. A DevOps engineer has already updated the CodeBuild project to use the aws
cloudformation package command to produce an additional output artifact for us-east-1.
Which combination of additional steps should the DevOps engineer take to meet these
requirements? (Choose two.)
Correct Answer: A, B
Explanation:
A) The CloudFormation template should be modified to include a parameter that indicates the