Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home Amazon AWS Certified DevOps Engineer - Professional DOP-C02

Amazon AWS Certified DevOps Engineer - Professional DOP-C02 Exam Practice Questions (P. 2)

  • Full Access (363 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #11
An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)
  1. A
    Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
  2. B
    Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
  3. C
    Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
  4. D
    Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
  5. E
    Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
  6. F
    Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.

Correct Answer:
ABC
chatbot-img GPT-4o - Answer
When setting up a permission model using AWS IAM Identity Center, it's essential to enforce the least privilege by meticulous management of permission sets and user grouping. By creating specific IAM policies with the aws:PrincipalTag condition key, and attaching these via inline policies in permission sets, you can finely control access according to the defined role and responsibility within your ecosystem. Moreover, integrating these policies with group assignments in your external IdP ensures that only the appropriate members have access to certain resources, aligning with your security and operational protocols. This approach leverages AWS's robust tagging and permission configuration framework effectively.

Question #12
An ecommerce company is receiving reports that its order history page is experiencing delays in reflecting the processing status of orders. The order processing system consists of an AWS Lambda function that uses reserved concurrency. The Lambda function processes order messages from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity.
Which actions should a DevOps engineer take to resolve this delay? (Choose two.)
  1. A
    Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit.
  2. B
    Check the ApproximateAgeOfOldestMessage metnc for the SQS queue Configure a redrive policy on the SQS queue.
  3. C
    Check the NumberOfMessagesSent metric for the SQS queue. Increase the SQS queue visibility timeout.
  4. D
    Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity units (WCUs) for the table's scaling policy.
  5. E
    Check the Throttles metric for the Lambda function. Increase the Lambda function timeout.

Correct Answer:
AD
chatbot-img GPT-4o - Answer
Actions A and D are spot on for resolving the delay issues in the order processing system. Specifically, monitoring the ApproximateAgeOfOldestMessage in the SQS queue can reveal backlog issues. If this metric is high, it suggests that increasing the Lambda function's reserved concurrency can help in processing the messages more efficiently. For action D, checking the WriteThrottleEvents metric in DynamoDB is crucial. Throttling here means that the current scaling policy isn't provisioning enough write capacity units (WCUs) to meet demand, and so, increasing the maximum WCUs will help in accommodating the spikes in write operations effectively.

Question #13
A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?
  1. A
    Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an AWS Lambda function to attach the default instance profile to the EC2 instances.
  2. B
    Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
  3. C
    Configure an Amazon EventBridge rule that reacts to EC2 StartInstances API calls. Configure the rule to invoke an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances
  4. D
    Configure the iam-role-managed-policy-check AWS Config managed rule with a trigger type of configuration changes. Configure an automatic remediation action that invokes an AWS Lambda function to attach the default instance profile to the EC2 instances.

Correct Answer:
B
chatbot-img GPT-4o - Answer
To ensure compliance with the security policy regarding EC2 instance profiles, the use of AWS Config with the "ec2-instance-profile-attached" managed rule effectively monitors and rectifies configurations across existing and newly launched instances. Configuring this rule to trigger on configuration changes and linking it with a Systems Manager Automation runbook for automatic remediation provides a robust solution to apply the default instance profile to all instances missing one. This method covers both ongoing and future compliance automatically, making it highly efficient for dynamic environments.

Question #14
A DevOps engineer is building a continuous deployment pipeline for a serverless application that uses AWS Lambda functions. The company wants to reduce the customer impact of an unsuccessful deployment. The company also wants to monitor for issues.
Which deploy stage configuration will meet these requirements?
  1. A
    Use an AWS Serverless Application Model (AWS SAM) template to define the serverless application. Use AWS CodeDeploy to deploy the Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health of the functions.
  2. B
    Use AWS CloudFormation to publish a new stack update, and include Amazon CloudWatch alarms on all resources. Set up an AWS CodePipeline approval action for a developer to verify and approve the AWS CloudFormation change set.
  3. C
    Use AWS CloudFormation to publish a new version on every stack update, and include Amazon CloudWatch alarms on all resources. Use the RoutingConfig property of the AWS::Lambda::Alias resource to update the traffic routing during the stack update.
  4. D
    Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions. Publish a new version of the functions, and include Amazon CloudWatch alarms. Update the production alias to point to the new version. Configure rollbacks to occur when an alarm is in the ALARM state.

Correct Answer:
A
chatbot-img GPT-4o - Answer
The configuration provided in option A effectively addresses the requirement for minimizing customer impact during deployment of serverless applications. By using AWS CodeDeploy's Canary deployment strategy, specifically Canary10Percent15Minutes, only a small percentage of traffic is routed to the new version initially. This strategy allows careful monitoring and quick rollback if issues arise, thereby limiting any negative impact. In addition, utilizing Amazon CloudWatch alarms enables real-time monitoring of the functions' performance, ensuring any deployment issues are detected and addressed swiftly. This combination makes it a comprehensive solution for the needs outlined.

Question #15
To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?
  1. A
    Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
  2. B
    Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
  3. C
    Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
  4. D
    Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.

Correct Answer:
C
chatbot-img GPT-4o - Answer
Option C is the most effective solution when application installations must occur without internet access. By creating a VPC endpoint for S3, EC2 instances in a restricted subnet can directly access necessary S3-stored artifacts without requiring internet connectivity. This approach not only adheres to tightened security protocols but also leverages AWS services efficiently to ensure that applications deploy successfully under stringent access controls. This method avoids unnecessary exposure to the internet and embodies optimal use of cloud architecture for secure, isolated environments.

Question #16
A development team is using AWS CodeCommit to version control application code and AWS CodePipeline to orchestrate software deployments. The team has decided to use a remote main branch as the trigger for the pipeline to integrate code changes. A developer has pushed code changes to the CodeCommit repository, but noticed that the pipeline had no reaction, even after 10 minutes.
Which of the following actions should be taken to troubleshoot this issue?
  1. A
    Check that an Amazon EventBridge rule has been created for the main branch to trigger the pipeline.
  2. B
    Check that the CodePipeline service role has permission to access the CodeCommit repository.
  3. C
    Check that the developer’s IAM role has permission to push to the CodeCommit repository.
  4. D
    Check to see if the pipeline failed to start because of CodeCommit errors in Amazon CloudWatch Logs.

Correct Answer:
A

Question #17
A company's developers use Amazon EC2 instances as remote workstations. The company is concerned that users can create or modify EC2 security groups to allow unrestricted inbound access.
A DevOps engineer needs to develop a solution to detect when users create unrestricted security group rules. The solution must detect changes to security group rules in near real time, remove unrestricted rules, and send email notifications to the security team. The DevOps engineer has created an AWS Lambda function that checks for security group ID from input, removes rules that grant unrestricted access, and sends notifications through Amazon Simple Notification Service (Amazon SNS).
What should the DevOps engineer do next to meet the requirements?
  1. A
    Configure the Lambda function to be invoked by the SNS topic. Create an AWS CloudTrail subscription for the SNS topic. Configure a subscription filter for security group modification events.
  2. B
    Create an Amazon EventBridge scheduled rule to invoke the Lambda function. Define a schedule pattern that runs the Lambda function every hour.
  3. C
    Create an Amazon EventBridge event rule that has the default event bus as the source. Define the rule’s event pattern to match EC2 security group creation and modification events. Configure the rule to invoke the Lambda function.
  4. D
    Create an Amazon EventBridge custom event bus that subscribes to events from all AWS services. Configure the Lambda function to be invoked by the custom event bus.

Correct Answer:
C

Question #18
A DevOps engineer is creating an AWS CloudFormation template to deploy a web service. The web service will run on Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). The DevOps engineer must ensure that the service can accept requests from clients that have IPv6 addresses.
What should the DevOps engineer do with the CloudFormation template so that IPv6 clients can access the web service?
  1. A
    Add an IPv6 CIDR block to the VPC and the private subnet for the EC2 instances. Create route table entries for the IPv6 network, use EC2 instance types that support IPv6, and assign IPv6 addresses to each EC2 instance.
  2. B
    Assign each EC2 instance an IPv6 Elastic IP address. Create a target group, and add the EC2 instances as targets. Create a listener on port 443 of the ALB, and associate the target group with the ALB.
  3. C
    Replace the ALB with a Network Load Balancer (NLB). Add an IPv6 CIDR block to the VPC and subnets for the NLB, and assign the NLB an IPv6 Elastic IP address.
  4. D
    Add an IPv6 CIDR block to the VPC and subnets for the ALB. Create a listener on port 443. and specify the dualstack IP address type on the ALB. Create a target group, and add the EC2 instances as targets. Associate the target group with the ALB.

Correct Answer:
B

Question #19
A company uses AWS Organizations and AWS Control Tower to manage all the company's AWS accounts. The company uses the Enterprise Support plan.
A DevOps engineer is using Account Factory for Terraform (AFT) to provision new accounts. When new accounts are provisioned, the DevOps engineer notices that the support plan for the new accounts is set to the Basic Support plan. The DevOps engineer needs to implement a solution to provision the new accounts with the Enterprise Support plan.
Which solution will meet these requirements?
  1. A
    Use an AWS Config conformance pack to deploy the account-part-of-organizations AWS Config rule and to automatically remediate any noncompliant accounts.
  2. B
    Create an AWS Lambda function to create a ticket for AWS Support to add the account to the Enterprise Support plan. Grant the Lambda function the support:ResolveCase permission.
  3. C
    Add an additional value to the control_tower_parameters input to set the AWSEnterpriseSupport parameter as the organization's management account number.
  4. D
    Set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. Redeploy AFT and apply the changes.

Correct Answer:
D

Question #20
A company's DevOps engineer uses AWS Systems Manager to perform maintenance tasks during maintenance windows. The company has a few Amazon EC2 instances that require a restart after notifications from AWS Health. The DevOps engineer needs to implement an automated solution to remediate these notifications. The DevOps engineer creates an Amazon EventBridge rule.
How should the DevOps engineer configure the EventBridge rule to meet these requirements?
  1. A
    Configure an event source of AWS Health, a service of EC2. and an event type that indicates instance maintenance. Target a Systems Manager document to restart the EC2 instance.
  2. B
    Configure an event source of Systems Manager and an event type that indicates a maintenance window. Target a Systems Manager document to restart the EC2 instance.
  3. C
    Configure an event source of AWS Health, a service of EC2, and an event type that indicates instance maintenance. Target a newly created AWS Lambda function that registers an automation task to restart the EC2 instance during a maintenance window.
  4. D
    Configure an event source of EC2 and an event type that indicates instance maintenance. Target a newly created AWS Lambda function that registers an automation task to restart the EC2 instance during a maintenance window.

Correct Answer:
A

Previous Questions Next Questions

All Pages