Practice Free DOP-C02 Exam Online Questions
A company is using an Amazon Aurora cluster as the data store for its application. The Aurora cluster is configured with a single DB instance. The application performs read and write operations on the database by using the cluster’s instance endpoint.
The company has scheduled an update to be applied to the cluster during an upcoming maintenance window. The cluster must remain available with the least possible interruption during the maintenance window.
What should a DevOps engineer do to meet these requirements?
- A . Add a reader instance to the Aurora cluster. Update the application to use the Aurora cluster endpoint for write operations. Update the Aurora cluster’s reader endpoint for reads.
- B . Add a reader instance to the Aurora cluster. Create a custom ANY endpoint for the cluster. Update the application to use the Aurora cluster’s custom ANY endpoint for read and write operations.
- C . Turn on the Multi-AZ option on the Aurora cluster. Update the application to use the Aurora cluster endpoint for write operations. Update the Aurora cluster’s reader endpoint for reads.
- D . Turn on the Multi-AZ option on the Aurora cluster. Create a custom ANY endpoint for the cluster. Update the application to use the Aurora cluster’s custom ANY endpoint for read and write operations.
A company is building a serverless application that uses AWS Lambda functions to process data.
A BeginResponse Lambda function initializes data in response to specific application events. The company needs to ensure that a large number of Lambda functions are invoked after the BeginResponse Lambda function runs. Each Lambda function must be invoked in parallel and depends on only the outputs of the BeginResponse Lambda function. Each Lambda function has retry logic for invocation and must be able to fine-tune concurrency without losing data.
Which solution will meet these requirements with the MOST operational efficiency?
- A . Create an Amazon Simple Notification Service (Amazon SNS) topic. Modify the BeginResponse Lambda function to publish to the SNS topic before the BeginResponse Lambda function finishes running. Subscribe all Lambda functions that need to invoke after the BeginResponse Lambda function runs to the SNS topic. Subscribe any new Lambda functions to the SNS topic.
- B . Create an Amazon Simple Queue Service (Amazon SQS) queue for each Lambda function that needs to run after the BeginResponse Lambda function runs. Subscribe each Lambda function to its own SQS queue. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe each SQS queue to the SNS topic. Modify the BeginResponse function to publish to the SNS topic when it finishes running.
- C . Create an Amazon Simple Queue Service (Amazon SQS) queue for each Lambda function that needs to run after the BeginResponse Lambda function runs. Subscribe the Lambda function to the SQS queue. Create an Amazon Simple Notification Service (Amazon SNS) topic for each SQS queue. Subscribe the SQS queues to the SNS topics. Modify the BeginResponse function to publish to the SNS topics when the function finishes running.
- D . Create an AWS Step Functions Standard Workflow. Configure states in the workflow to invoke the Lambda functions sequentially. Create an Amazon Simple Notification Service (Amazon SNS) topic. Modify the BeginResponse Lambda function to publish to the SNS topic before the Lambda function finishes running. Create a new Lambda function that is subscribed to the SNS topic and that invokes
the Step Functions workflow.
B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
To invoke many Lambda functions in parallel and allow each function to have independent retry logic and concurrency management, using SQS queues for each Lambda function is recommended.
The BeginResponse Lambda publishes a message to an SNS topic, which fans out to multiple SQS queues (one per Lambda).
Each Lambda function polls its own SQS queue, allowing fine-grained control of concurrency and retry behavior.
SNS alone (Option A) invokes Lambda functions but lacks the queue’s buffering and retry durability. Step Functions (Option D) would invoke Lambdas sequentially, not in parallel, and add complexity.
Option C reverses SNS and SQS in an inefficient manner.
References:
Using SNS with SQS for fan-out and Lambda processing
Lambda retry behavior with SQS triggers
A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days.
Which solution will accomplish this?
- A . Configure AWS KMS to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
- B . Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon Simple Notification Service (Amazon SNS) topic.
- C . Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
- D . Configure AWS Security Hub to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?
- A . Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
- B . Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet’s route table to use the NAT gateway as the default route.
- C . Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
- D . Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.
A company has a guideline that every Amazon EC2 instance must be launched from an AMI that the company’s security team produces Every month the security team sends an email message with the latest approved AMIs to all the development teams.
The development teams use AWS CloudFormation to deploy their applications. When developers launch a new service they have to search their email for the latest AMIs that the security department sent. A DevOps engineer wants to automate the process that the security team uses to provide the AMI IDs to the development teams.
What is the MOST scalable solution that meets these requirements?
- A . Direct the security team to use CloudFormation to create new versions of the AMIs and to list! the AMI ARNs in an encrypted Amazon S3 object as part of the stack’s Outputs Section Instruct the developers to use a cross-stack reference to load the encrypted S3 object and obtain the most recent AMI ARNs.
- B . Direct the security team to use a CloudFormation stack to create an AWS CodePipeline pipeline that builds new AMIs and places the latest AMI ARNs in an encrypted Amazon S3 object as part of the pipeline output Instruct the developers to use a cross-stack reference within their own CloudFormation template to obtain the S3 object location and the most recent AMI ARNs.
- C . Direct the security team to use Amazon EC2 Image Builder to create new AMIs and to place the AMI ARNs as parameters in AWS Systems Manager Parameter Store Instruct the developers to specify a parameter of type SSM in their CloudFormation stack to obtain the most recent AMI ARNs from Parameter Store.
- D . Direct the security team to use Amazon EC2 Image Builder to create new AMIs and to create an Amazon Simple Notification Service (Amazon SNS) topic so that every development team can receive notifications. When the development teams receive a notification instruct them to write an AWS Lambda function that will update their CloudFormation stack with the most recent AMI ARNs.
C
Explanation:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
A company’s EC2 fleet must maintain up-to-date security patches and compliance reporting.
Which solution meets these requirements?
- A . Use Systems Manager Patch Manager with AWS Config compliance rules and automation documents.
- B . SSH into each instance manually.
- C . Rebuild instances in Auto Scaling groups with latest AMIs.
- D . Use CloudFormation redeployment for every patch.
A
Explanation:
AWS Systems Manager Patch Manager automates patch scanning and installation. Integrating with AWS Config enables compliance reporting and auto-remediation. This provides centralized patch compliance management per AWS Ops best practices.
A company uses Amazon RDS for all databases in Its AWS accounts. The company uses AWS Control Tower to build a landing zone that has an audit and logging account All databases must be encrypted at rest for compliance reasons. The company’s security engineer needs to receive notification about any noncompliant databases that are in the company’s accounts
Which solution will meet these requirements with the MOST operational efficiency?
- A . Use AWS Control Tower to activate the optional detective control (guardrail) to determine whether the RDS storage is encrypted Create an Amazon Simple Notification Service (Amazon SNS) topic in the company’s audit account. Create an Amazon EventBridge rule to filter noncompliant events from the AWS Control Tower control (guardrail) to notify the SNS topic. Subscribe the security engineer’s email address to the SNS topic
- B . Use AWS Cloud Formation StackSets to deploy AWS Lambda functions to every account. Write the Lambda function code to determine whether the RDS storage is encrypted in the account the function is deployed to Send the findings as an Amazon CloudWatch metric to the management account Create an Amazon Simple Notification Service (Amazon SNS) topic. Create a CloudWatch alarm that notifies the SNS topic when metric thresholds are met. Subscribe the security engineer’s email address to the SNS topic.
- C . Create a custom AWS Config rule in every account to determine whether the RDS storage is encrypted Create an Amazon Simple Notification Service (Amazon SNS) topic in the audit account Create an Amazon EventBridge rule to filter noncompliant events from the AWS Control Tower control (guardrail) to notify the SNS topic. Subscribe the security engineer’s email address to the SNS topic
- D . Launch an Amazon EC2 instance. Run an hourly cron job by using the AWS CLI to determine whether the RDS storage is encrypted in each AWS account Store the results in an RDS database. Notify the security engineer by sending email messages from the EC2 instance when noncompliance is detected
A
Explanation:
Activate AWS Control Tower Guardrail:
Use AWS Control Tower to activate a detective guardrail that checks whether RDS storage is encrypted.
Create SNS Topic for Notifications:
Set up an Amazon Simple Notification Service (SNS) topic in the audit account to receive notifications about non-compliant databases.
Create EventBridge Rule to Filter Non-compliant Events:
Create an Amazon EventBridge rule that filters events related to the guardrail’s findings on non-compliant RDS instances.
Configure the rule to send notifications to the SNS topic when non-compliant events are detected.
Subscribe Security Engineer’s Email to SNS Topic:
Subscribe the security engineer’s email address to the SNS topic to receive notifications when non-compliant databases are detected.
By using AWS Control Tower to activate a detective guardrail and setting up SNS notifications for non-compliant events, the company can efficiently monitor and ensure that all RDS databases are encrypted at rest.
Reference: AWS Control Tower Guardrails
Amazon SNS
Amazon EventBridge
A company runs an application in an Auto Scaling group of Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run Docker containers that make requests to a MySQL database that runs on separate EC2 instances. A DevOps engineer needs to update the application to use a serverless architecture.
Which solution will meet this requirement with the FEWEST changes?
- A . Replace the containers that run on EC2 instances and the ALB with AWS Lambda functions. Replace the MySQL database with an Amazon Aurora Serverless v2 database that is compatible with MySQL.
- B . Replace the containers that run on EC2 instances with AWS Fargate. Replace the MySQL database with an Amazon Aurora Serverless v2 database that is compatible with MySQL.
- C . Replace the containers that run on EC2 instances and the ALB with AWS Lambda functions.
Replace the MySQL database with Amazon DynamoDB tables. - D . Replace the containers that run on EC2 instances with AWS Fargate. Replace the MySQL database with Amazon DynamoDB tables.
A company has a file-reading application that saves files to a database running on Amazon EC2 instances. Regulations require daily file deletions from EC2 instances and deletion of database records older than 60 days. Database record deletion must occur after file deletion. The company needs email notifications for any deletion script failures.
Which solution will meet these requirements with the LEAST development effort?
- A . Use AWS Systems Manager State Manager to automatically invoke an Automation document at the specified time daily. Configure the Automation document to run deletion scripts sequentially via run command. Create an EventBridge rule to send failure notifications to Amazon SNS.
- B . Use AWS Systems Manager State Manager to automatically invoke an Automation document at the specified time daily. Configure the Automation document to run deletion scripts sequentially. Add a conditional check for errors as the last step and send failure notifications via Amazon SES.
- C . Create an EventBridge rule to invoke a Lambda function at the specified time. Configure the Lambda function to run deletion scripts sequentially and send failure notifications via SNS.
- D . Create an EventBridge rule to invoke a Lambda function at the specified time. Configure the Lambda function to run deletion scripts sequentially and send failure notifications via SES.
A
Explanation:
Systems Manager State Manager with Automation documents allows running scripts sequentially and reliably with built-in retry and status tracking.
Using EventBridge with SNS for notifications leverages managed services with minimal custom development.
Using SES (Options B, D) requires more setup and custom logic for email formatting and sending.
Lambda (Options C, D) can run scripts but might have limitations on execution time and complexity compared to Systems Manager Automation.
References:
AWS Systems Manager Automation
Monitoring Automation Execution and Notifications
A company is launching an application. The application must use only approved AWS services. The account that runs the application was created less than 1 year ago and is assigned to an AWS Organizations OU.
The company needs to create a new Organizations account structure. The account structure must have an appropriate SCP that supports the use of only services that are currently active in the AWS account.
The company will use AWS Identity and Access Management (IAM) Access Analyzer in the solution.
Which solution will meet these requirements?
- A . Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.
- B . Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OIJ. Attach the new SCP to the new OU.
- C . Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization’s root.
- D . Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.
A
Explanation:
To meet the requirements of creating a new Organizations account structure with an appropriate SCP that supports the use of only services that are currently active in the AWS account, the company should use the following solution:
Create an SCP that allows the services that IAM Access Analyzer identifies. IAM Access Analyzer is a service that helps identify potential resource-access risks by analyzing resource-based policies in the AWS environment. IAM Access Analyzer can also generate IAM policies based on access activity in the AWS CloudTrail logs. By using IAM Access Analyzer, the company can create an SCP that grants only the permissions that are required for the application to run, and denies all other services. This way, the company can enforce the use of only approved AWS services and reduce the risk of unauthorized access12
Create an OU for the account. Move the account into the new OU. An OU is a container for accounts within an organization that enables you to group accounts that have similar business or security requirements. By creating an OU for the account, the company can apply policies and manage settings for the account as a group. The company should move the account into the new OU to make it subject to the policies attached to the OU3
Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU. An SCP is a type of policy that specifies the maximum permissions for an organization or organizational unit (OU). By attaching the new SCP to the new OU, the company can restrict the services that are available to all accounts in that OU, including the account that runs the application. The company should also detach the default FullAWSAccess SCP from the new OU, because this policy allows all actions on all AWS services and might override or conflict with the new SCP45
The other options are not correct because they do not meet the requirements or follow best practices. Creating an SCP that denies the services that IAM Access Analyzer identifies is not a good option because it might not cover all possible services that are not approved or required for the application. A deny policy is also more difficult to maintain and update than an allow policy. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the organization’s root is not a good option because it might affect other accounts and OUs in the organization that have different service requirements or approvals. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the management account is not a valid option because SCPs cannot be attached directly to accounts, only to OUs or roots.
References:
1: Using AWS Identity and Access Management Access Analyzer – AWS Identity and Access Management
2: Generate a policy based on access activity – AWS Identity and Access Management
3: Organizing your accounts into OUs – AWS Organizations
4: Service control policies – AWS Organizations
5: How SCPs work – AWS Organizations