C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

Amazon DOP-C02 - AWS Certified DevOps Engineer- Professional Certification Exam

Download Exam View Entire Exam
Page: 2 / 3
Question #6 (Topic: demo questions)

A company has containerized all of its in-house quality control applications. The company is running
Jenkins on Amazon EC2 instances, which require patching and upgrading. The compliance officer has
requested a DevOps engineer begin encrypting build artifacts since they contain company
intellectual property.
What should the DevOps engineer do to accomplish this in the MOST maintainable manner?


A.
Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt
Amazon EBS volumes by default.

B.
Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with
default encryption enabled.

C.
Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets
Manager.

D.
Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2
instances.
Correct Answer: D
Explanation:
The following are the steps involved in accomplishing this in the most maintainable manner:
Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2
instances.
Configure CodeBuild to encrypt the build artifacts using AWS Secrets Manager.
Deploy the containerized quality control applications to CodeBuild.
This approach is the most maintainable because it eliminates the need to manage Jenkins on EC2
instances. CodeBuild is a managed service, so the DevOps engineer does not need to worry about
patching or upgrading the service https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html Build artifact
encryption - CodeBuild requires access to an AWS KMS CMK in order to encrypt its build output
artifacts. By default, CodeBuild uses an AWS Key Management Service CMK for Amazon S3 in your
AWS account. If you do not want to use this CMK, you must create and configure a customer￾managed CMK. For more information Creating keys.
Question #7 (Topic: demo questions)

A company's DevOps engineer uses AWS Systems Manager to perform maintenance tasks
during maintenance windows. The company has a few Amazon EC2 instances that require
a restart after notifications from AWS Health. The DevOps engineer needs to implement an
automated solution to remediate these notifications. The DevOps engineer creates an
Amazon EventBridge rule. How should the DevOps engineer configure the EventBridge rule
to meet these requirements?


A.
Configure an event source of AWS Health, a service of EC2. and an event type that
indicates
instance maintenance. Target a Systems Manager document to restart the EC2 instance.

B.
Configure an event source of Systems Manager and an event type that indicates a
maintenance window. Target a Systems Manager document to restart the EC2 instance.

C.
Configure an event source of AWS Health, a service of EC2, and an event type that
indicates instance maintenance. Target a newly created AWS Lambda function that registers an
automation task to restart the EC2 instance during a maintenance window.

D.
Configure an event source of EC2 and an event type that indicates instance
maintenance. Target a newly created AWS Lambda function that registers an automation task to restart the EC2
instance
Correct Answer: C
Explanation:
AWS Health provides real-time events and information related to your AWS infrastructure. It can be
integrated with Amazon EventBridge to act upon the health events automatically. If the maintenance
notification from AWS Health indicates that an EC2 instance requires a restart, you can set up an
EventBridge rule to respond to such events. In this case, the target of this rule would be a Lambda
function that would trigger a Systems Manager automation to restart the EC2 instance during a
maintenance window. Remember, AWS Health is the source of the events (not EC2 or Systems
Manager), and AWS Lambda can be used to execute complex remediation tasks, such as scheduling
maintenance tasks via Systems Manager.
The following are the steps involved in configuring the EventBridge rule to meet these requirements:
Configure an event source of AWS Health, a service of EC2, and an event type that indicates instance
maintenance.
Target a newly created AWS Lambda function that registers an automation task to restart the EC2
instance during a maintenance window.
The AWS Lambda function will be triggered by the event from AWS Health. The function will then
register an automation task to restart the EC2 instance during the next maintenance window.
Question #8 (Topic: demo questions)

A company uses AWS Organizations and AWS Control Tower to manage all the company's AWS
accounts. The company uses the Enterprise Support plan.
A DevOps engineer is using Account Factory for Terraform (AFT) to provision new accounts. When
new accounts are provisioned, the DevOps engineer notices that the support plan for the new
accounts is set to the Basic Support plan. The DevOps engineer needs to implement a solution to
provision the new accounts with the Enterprise Support plan.
Which solution will meet these requirements?


A.
Use an AWS Config conformance pack to deploy the account-part-of-organizations AWS Config
rule and to automatically remediate any noncompliant accounts.
B.
Create an AWS Lambda function to create a ticket for AWS Support to add the account to the
Enterprise Support plan. Grant the Lambda function the support:ResolveCase permission.
C.
Add an additional value to the control_tower_parameters input to set the AWSEnterpriseSupport
parameter as the organization's management account number.
D.
Set the aft_feature_enterprise_support feature flag to True in the AFT deployment input
configuration. Redeploy AFT and apply the changes.
Correct Answer: D
Explanation:
AWS Organizations is a service that helps to manage multiple AWS accounts. AWS Control Tower is a
service that makes it easy to set up and govern secure, compliant multi-account AWS environments.
Account Factory for Terraform (AFT) is an AWS Control Tower feature that provisions new accounts
using Terraform templates. To provision new accounts with the Enterprise Support plan, the DevOps
engineer can set the aft_feature_enterprise_support feature flag to True in the AFT deployment
input configuration. This flag enables the Enterprise Support plan for newly provisioned accounts.
Question #9 (Topic: demo questions)

A DevOps engineer is creating an AWS CloudFormation template to deploy a web service. The web
service will run on Amazon EC2 instances in a private subnet behind an Application Load Balancer
(ALB). The DevOps engineer must ensure that the service can accept requests from clients that have
IPv6 addresses. What should the DevOps engineer do with the CloudFormation template so that IPv6 clients can
access the web service?


A.
Add an IPv6 CIDR block to the VPC and the private subnet for the EC2 instances. Create route table
entries for the IPv6 network, use EC2 instance types that support IPv6, and assign IPv6 addresses to
each EC2 instance.

B.
Assign each EC2 instance an IPv6 Elastic IP address. Create a target group, and add the EC2
instances as targets. Create a listener on port 443 of the ALB, and associate the target group with the
ALB.

C.
Replace the ALB with a Network Load Balancer (NLB). Add an IPv6 CIDR block to the VPC and
subnets for the NLB, and assign the NLB an IPv6 Elastic IP address.

D.
Add an IPv6 CIDR block to the VPC and subnets for the ALB. Create a listener on port 443. and
specify the dualstack IP address type on the ALB. Create a target group, and add the EC2 instances as
targets. Associate the target group with the ALB.
Correct Answer: D
Explanation:
it involves adding an IPv6 CIDR block to the VPC and subnets for the ALB and specifying the dualstack
IP address type on the ALB listener. This allows the ALB to listen on both IPv4 and IPv6 addresses, and
forward requests to the EC2 instances that are added as targets to the target group associated with
the ALB.
Question #10 (Topic: demo questions)

To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses
in a public subnet. A user data script obtains the application artifacts and installs them on the
instances upon launch. A change to the security classification of the application now requires the
instances to run with no access to the internet. While the instances launch successfully and show as
healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?


A.
Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is
installed and running, run a script to disassociate the Elastic IP addresses afterwards.

B.
Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's
route table to use the NAT gateway as the default route.

C.
Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign
an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3
bucket.

D.
Create a security group for the application instances and allow only outbound traffic to the artifact
repository. Remove the security group rule once the install is complete.
Next Question
Correct Answer: C
Explanation:
EC2 instances running in private subnets of a VPC can now have controlled access to S3 buckets,
objects, and API functions that are in the same region as the VPC. You can use an S3 bucket policy to
indicate which VPCs and which VPC Endpoints have access to your S3 buckets 1-