DOP-C02 AWS Certified DevOps Engineer - Professional is now Stable and With Pass Result | Test Your Knowledge for Free

DOP-C02 Practice Questions

AWS Certified DevOps Engineer - Professional

Last Update 3 days ago
Total Questions : 425

Dive into our fully updated and stable DOP-C02 practice test platform, featuring all the latest AWS Certified Professional exam questions added this week. Our preparation tool is more than just a Amazon Web Services study aid; it's a strategic advantage.

Our free AWS Certified Professional practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about DOP-C02. Use this test to pinpoint which areas you need to focus your study on.

DOP-C02 PDF

$43.75
~~$124.99~~

Add to Cart

DOP-C02 Testing Engine

$50.75
~~$144.99~~

Add to Cart

DOP-C02 PDF + Testing Engine

$63.7
~~$181.99~~

Add to Cart

Question # 51

A company is developing a web application that runs on Amazon EC2 Linux instances. The application requires monitoring of custom performance metrics. The company must collect metrics for API response times and database query latency across multiple instances. Which solution will generate the custom metrics with the LEAST operational overhead?

Options:

Install the Amazon CloudWatch agent on the instances. Configure the agent to collect the custom metrics. Instrument the application to send the metrics to the agent.

Use Amazon Managed Service for Prometheus to scrape the custom metrics from the application. Use the Amazon CloudWatch agent to forward the metrics to CloudWatch.

Create a custom AWS Lambda function that polls the application endpoints and database at regular intervals. Program the Lambda function to calculate the custom metrics and to send the metrics to Amazon CloudWatch by using PutMetricData API calls.

Implement custom logging in the application code to record the custom metrics. Use Amazon CloudWatch Logs Insights to extract and analyze the metrics.

Discussion 0

Question # 52

A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

Use AWS Cloud Formation StackSets to deploy the Cloud Formation stacks in all AWS accounts.

Create an SCP that has a Deny statement for the ec2: " action with a condition of " aws:RequestTag/isolation " : false.

Attach the SCP to the root of the organization.

Create an AWS Cloud Formation template that creates an EC2 instance rote that has no 1AM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the Cloud Formation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to add a network ACL. Sot up an Amazon EventBridge rule to invoke the Lambda function when a specific ta

Create an AWS Cloud Formation template that creates an EC2 instance role that has no 1AM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to i

Discussion 0

Answer:

A, E

Explanation:

 Step 1: Deploy the Automation Solution using CloudFormation StackSets

To automate the process across multiple AWS accounts within an organization, you can use AWS CloudFormation StackSets. StackSets allow you to deploy CloudFormation templates to multiple accounts within an organization, ensuring consistent infrastructure and automation.

Action: Use AWS CloudFormation StackSets to deploy the necessary resources across all AWS accounts. This includes deploying the Lambda function and security groups that will isolate compromised EC2 instances.

Why: StackSets make it easy to deploy and manage resources across multiple AWS accounts, reducing the operational overhead.

[Reference: AWS documentation on CloudFormation StackSets., This corresponds to Option A: Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.,  Step 2: Isolate EC2 Instances using Lambda and Security GroupsWhen an EC2 instance is compromised, it needs to be isolated from the network. This can be done by creating a security group with no inbound or outbound rules and attaching it to the instance. A Lambda function can handle this process and can be triggered automatically by an Amazon EventBridge rule when a specific tag (e.g., "isolation") is applied to the compromised instance., Action: Create a Lambda function that attaches an isolated security group (with no inbound or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to trigger the Lambda function when the "isolation" tag is applied to the instance., Why: This automates the isolation process, ensuring that any compromised instances are immediately cut off from the network, reducing the potential damage from the compromise., Reference: AWS documentation on Tag-based Event Handling., This corresponds to Option E: Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance., , , ]

Question # 53

A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB) The EC2 Instances are in multiple Availability Zones The application was misconfigured in a single Availability Zone, which caused a partial outage of the application.

A DevOps engineer made changes to ensure that the unhealthy EC2 instances in one Availability Zone do not affect the healthy EC2 instances in the other Availability Zones. The DevOps engineer needs to test the application ' s failover and shift where the ALB sends traffic During failover. the ALB must avoid sending traffic to the Availability Zone where the failure has occurred.

Which solution will meet these requirements?

Options:

Turn off cross-zone load balancing on the ALB Use Amazon Route 53 Application Recovery Controller to start a zonal shift away from the Availability Zone

Turn off cross-zone load balancing on the ALB ' s target group Use Amazon Route 53 Application Recovery Controller to start a zonal shift away from the Availability Zone

Create an Amazon Route 53 Application Recovery Controller resource set that uses the DNS hostname of the ALB Start a zonal shift for the resource set away from the Availability Zone

Create an Amazon Route 53 Application Recovery Controller resource set that uses the ARN of the ALB ' s target group Create a readiness check that uses the ElbV2TargetGroupsCanServeTraffic rule

Discussion 0

Question # 54

A DevOps engineer needs to design a cloud-based solution to standardize deployment artifacts for AWS Cloud deployments and on-premises deployments. There is currently no routing traffic between the on-premises data center and the AWS environment.

The solution must be able to consume downstream packages from public repositories and must be highly available. Data must be encrypted in transit and at rest. The solution must store the deployment artifacts in object storage and deploy the deployment artifacts into Amazon Elastic Container Service (Amazon ECS). The deployment artifacts must be encrypted in transit if the deployment artifacts travel across the public internet.

The DevOps engineer needs to deploy this solution in less than two weeks.

Which solution will meet these requirements?

Options:

Use a third-party software VPN appliance to connect the on-premises data center and AWS. Use AWS CodeArtifact to store the deployment artifacts.

Use an AWS Direct Connect connection and a VPN connection to connect the on-premises data center to AWS. Deploy third-party artifact management software on Amazon EC2 instances.

Use two AWS VPN connections to connect the on-premises data center to AWS. Use AWS CodeArtifact to store the deployment artifacts.

Use parallel AWS Direct Connect connections to connect the on-premises data center to AWS. Deploy third-party artifact management software on Amazon EC2 instances.

Discussion 0

Question # 55

A company ' s development team uses AVMS Cloud Formation to deploy its application resources The team must use for an changes to the environment The team cannot use AWS Management Console or the AWS CLI to make manual changes directly.

The team uses a developer IAM role to access the environment The role is configured with the Admnistratoraccess managed policy. The company has created a new Cloudformationdeployment IAM role that has the following policy.

The company wants ensure that only CloudFormation can use the new role. The development team cannot make any manual changes to the deployed resources.

Which combination of steps meet these requirements? (Select THRE

)

Options:

Remove the AdministratorAccess policy. Assign the ReadOnIyAccess managed IAM policy to the developer role. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks.

Update the trust of CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDepoyment role.

Configure the IAM to be to get and pass the CloudFormationDeployment role ifcloudformation actions for resources,

Update the trust Of the CloudFormationDepoyment role to anow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeR01e action

Remove me Administratoraccess policy. Assign the ReadOnly/Access managed IAM policy to the developer role Instruct the developers to assume the CloudFormatondeployment role when the developers new stacks

Add an IAM policy to CloudFormationDeplyment to allow cloudformation * on an Add a policy that allows the iam.PassR01e action for ARN of if iam PassedT0Service equal cloudformation.amazonaws.com

Discussion 0

Answer:

A, D, F

Explanation:

Option A is correct because removing the AdministratorAccess policy and assigning the ReadOnlyAccess managed IAM policy to the developer role is a valid way to prevent the developers from making any manual changes to the deployed resources. The AdministratorAccess policy grants full access to all AWS resources and actions, which is not necessary for the developers. The ReadOnlyAccess policy grants read-only access to most AWS resources and actions, which is sufficient for the developers to view the status of their stacks. Instructing the developers to use the CloudFormationDeployment role as a CloudFormation service role when they deploy new stacks is also a valid way to ensure that only CloudFormation can use the new role. A CloudFormation service role is an IAM role that allows CloudFormation to make calls to resources in a stack on behalf of the user1. The user can specify a service role when they create or update a stack, and CloudFormation will use that role’s credentials for all operations that are performed on that stack1.

Option B is incorrect because updating the trust of CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The trust of CloudFormationDeployment role should only allow the cloudformation.amazonaws.com AWS principal to assume the role, as in option

Option C is incorrect because configuring the IAM user to be able to get and pass the CloudFormationDeployment role if cloudformation actions for resources is not a valid solution. This would allow the developers to manually pass the CloudFormationDeployment role to other services or resources, which is not what the company wants. The IAM user should only be able to pass the CloudFormationDeployment role as a service role when they create or update a stack with CloudFormation, as in option

Option D is correct because updating the trust of CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action is a valid solution. This allows CloudFormation to assume the CloudFormationDeployment role and access resources in other services on behalf of the user2. The trust policy of an IAM role defines which entities can assume the role2. By specifying cloudformation.amazonaws.com as the principal, you grant permission only to CloudFormation to assume this role.

Option E is incorrect because instructing the developers to assume the CloudFormationDeployment role when they deploy new stacks is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The developers should only use the CloudFormationDeployment role as a service role when they deploy new stacks with CloudFormation, as in option

Option F is correct because adding an IAM policy to CloudFormationDeployment that allows cloudformation:* on all resources and adding a policy that allows the iam:PassRole action for ARN of CloudFormationDeployment if iam:PassedToService equals cloudformation.amazonaws.com are valid solutions. The first policy grants permission for CloudFormationDeployment to perform any action with any resource using cloudformation.amazonaws.com as a service principal3. The second policy grants permission for passing this role only if it is passed by cloudformation.amazonaws.com as a service principal4. This ensures that only CloudFormation can use this role.

[References:, 1: AWS CloudFormation service roles, 2: How to use trust policies with IAM roles, 3: AWS::IAM::Policy, 4: IAM: Pass an IAM role to a specific AWS service, , , , ]

Question # 56

A company wants to improve its security practices by enforcing least privilege across all projects. Developers must be able to access Amazon EC2 resources but not Amazon RDS resources. Database administrators must have access only to Amazon RDS resources.

Every employee has a unique IAM user. There are already pre-existing IAM policies for developer and database administrator job functions. All AWS resources are already tagged with appropriate project tags. All the IAM users are tagged with the appropriate project and job function.

The company must ensure that each employee can access only the project that the employee is working on.

Which solution will meet these requirements? (Select THRE

)

Options:

For each project, create one IAM role for developers and one IAM role for database administrators. Tag the IAM roles with the corresponding projects and job functions.

Modify the pre-existing IAM policies to include a StringEquals condition that compares the ResourceTag for projects with the PrincipalTag value. Attach the modified policies to the IAM roles for each job function.

Create an IAM policy that allows users to assume a role only when the ResourceTag values match the PrincipalTag values for project tags and job function tags. Attach the new policy to all IAM users.

Create an IAM policy that allows users to assume a role only when the ResourceTag values match the PrincipalTag values for project tags and job function tags. Attach the new policy to the IAM roles for each job function.

Tag the pre-existing IAM policies with the appropriate projects and job functions. Attach the modified policies to IAM roles for each job function.

For each project, create one IAM group for developers and one IAM group for database administrators. Add the appropriate users to each group so the users can assume their respective IAM roles.

Discussion 0

Question # 57

A DevOps engineer must implement a solution that immediately terminates Amazon EC2 instances in Auto Scaling groups when cryptocurrency mining activity is detected.

Which solution will meet these requirements with the LEAST development effort?

Options:

Configure Amazon Route 53 query logs → CloudWatch → Lambda every 5 mins to detect mining-related domains and terminate EC2 instances.

Configure VPC Flow Logs → S3 → Lambda every 5 mins → Athena query → terminate EC2 instances.

Enable Amazon GuardDuty. Monitor EC2 findings. Create an EventBridge rule triggered by GuardDuty. Invoke a Lambda function that terminates the affected EC2 instances.

Enable AWS Security Hub. Monitor EC2 findings. Create an EventBridge rule triggered by Security Hub. Invoke Lambda to terminate EC2 instances.

Discussion 0

Question # 58

A company is migrating its on-premises Windows applications and Linux applications to AWS. The company will use automation to launch Amazon EC2 instances to mirror the on-premises configurations. The migrated applications require access to shared storage that uses SMB for Windows and NFS for Linux.

The company is also creating a pilot light disaster recovery (DR) environment in another AWS Region. The company will use automation to launch and configure the EC2 instances in the DR Region. The company needs to replicate the storage to the DR Region.

Which storage solution will meet these requirements?

Options:

Use Amazon S3 for the application storage. Create an S3 bucket in the primary Region and an S3 bucket in the DR Region. Configure S3 Cross-Region Replication (CRR) from the primary Region to the DR Region.

Use Amazon Elastic Block Store (Amazon EBS) for the application storage. Create a backup plan in AWS Backup that creates snapshots of the EBS volumes that are in the primary Region and replicates the snapshots to the DR Region.

Use a Volume Gateway in AWS Storage Gateway for the application storage. Configure Cross-Region Replication (CRR) of the Volume Gateway from the primary Region to the DR Region.

Use Amazon FSx for NetApp ONTAP for the application storage. Create an FSx for ONTAP instance in the DR Region. Configure NetApp SnapMirror replication from the primary Region to the DR Region.

Discussion 0

Question # 59

A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host its machine learning (ML) application. As the ML model and the container image size grow, the time that new pods take to start up has increased to several minutes.

A DevOps engineer needs to reduce the startup time to seconds. The solution must also reduce the startup time to seconds when the pod runs on nodes that were recently added to the cluster.

The DevOps engineer creates an Amazon EventBridge rule that invokes an automation in AWS Systems Manager. The automation prefetches the container images from an Amazon Elastic Container Registry (Amazon ECR) repository when new images are pushed to the repository. The DevOps engineer also configures tags to be applied to the cluster and the node groups.

What should the DevOps engineer do next to meet the requirements?

Options:

Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster ' s control plane nodes. Create a Systems Manager State Manager association that uses the control plane nodes ' tags to prefetch corresponding container images.

Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster ' s nodes. Create a Systems Manager State Manager association that uses the nodes ' machine size to prefetch corresponding container images.

Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster ' s control plane nodes. Create a Systems Manager State Manager association that uses the nodes ' tags to prefetch corresponding container images.

Discussion 0

Question # 60

A company manages AWS accounts for application teams in AWS Control Tower. Individual application teams are responsible for securing their respective AWS accounts.

A DevOps engineer needs to enable Amazon GuardDuty for all AWS accounts in which the application teams have not already enabled GuardDuty. The DevOps engineer is using AWS CloudFormation StackSets from the AWS Control Tower management account.

How should the DevOps engineer configure the CloudFormation template to prevent failure during the StackSets deployment?

Options:

Create a CloudFormation custom resource that invokes an AWS Lambda function. Configure the Lambda function to conditionally enable GuardDuty if GuardDuty is not already enabled in the accounts.

Use the Conditions section of the CloudFormation template to enable GuardDuty in accounts where GuardDuty is not already enabled.

Use the CloudFormation Fn. GetAtt intrinsic function to check whether GuardDuty is already enabled If GuardDuty is not already enabled use the Resources section of the CloudFormation template to enable GuardDuty.

Manually discover the list of AWS account IDs where GuardDuty is not enabled Use the CloudFormation Fn: ImportValue intrinsic function to import the list of account IDs into the CloudFormation template to skip deployment for the listed AWS accounts.

Discussion 0

Get DOP-C02 dumps and pass your exam in 24 hours!

Spring Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65pass65

DOP-C02 AWS Certified DevOps Engineer - Professional is now Stable and With Pass Result | Test Your Knowledge for Free

DOP-C02 Practice Questions

DOP-C02 PDF

DOP-C02 Testing Engine

DOP-C02 PDF + Testing Engine

Options:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Free Exams Sample Questions

We Accept

Secure Site

Customer Review

Money Back Guarantee