DOP-C02 Amazon Web Services AWS Certified DevOps Engineer

AWS Certified DevOps Engineer - Professional

Last Update 12 hours ago Total Questions : 449

The AWS Certified DevOps Engineer - Professional content is now fully updated, with all current exam questions added 12 hours ago. Deciding to include DOP-C02 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our DOP-C02 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these DOP-C02 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified DevOps Engineer - Professional practice test comfortably within the allotted time.

Question # 1

A company is migrating from its on-premises data center to AWS. The company currently uses a custom on-premises CI/CD pipeline solution to build and package software.

The company wants its software packages and dependent public repositories to be available in AWS CodeArtifact to facilitate the creation of application-specific pipelines.

Which combination of steps should the company take to update the CI/CD pipeline solution and to configure CodeArtifact with the LEAST operational overhead? (Select TWO.)

Update the CI/CD pipeline to create a VM image that contains newly packaged software Use AWS Import/Export to make the VM image available as anAmazon EC2 AMI. Launch the AMI with an attached 1AM instance profile that allows CodeArtifact actions. Use AWS CLI commands to publish the packages to a CodeArtifact repository.

Create an AWS Identity and Access Management Roles Anywhere trust anchor Create an 1AM role that allows CodeArtifact actions and that has a trust relationship on the trust anchor. Update the on-premises CI/CD pipeline to assume the new 1AM role and to publish the packages to CodeArtifact.

Create a new Amazon S3 bucket. Generate a presigned URL that allows the PutObject request. Update the on-premises CI/CD pipeline to use thepresigned URL to publish the packages from the on-premises location to the S3 bucket. Create an AWS Lambda function that runs when packages are created in the bucket through a put command Configure the Lambda function to publish the packages to CodeArtifact

For each public repository, create a CodeArtifact repository that is configured with an external connection Configure the dependent repositories as upstream public repositories.

Create a CodeArtifact repository that is configured with a set of external connections to the public repositories. Configure the external connections to be downstream of the repository

Question # 2

A company requires that its internally facing web application be highly available. The architecture is made up of one Amazon EC2 web server instance and one NAT instance that provides outbound internet access for updates and accessing public data.

Which combination of architecture adjustments should the company implement to achieve high availability? (Choose two.)

Add the NAT instance to an EC2 Auto Scaling group that spans multiple Availability Zones. Update the route tables.

Create additional EC2 instances spanning multiple Availability Zones. Add an Application Load Balancer to split the load between them.

Configure an Application Load Balancer in front of the EC2 instance. Configure Amazon CloudWatch alarms to recover the EC2 instance upon host failure.

Replace the NAT instance with a NAT gateway in each Availability Zone. Update the route tables.

Replace the NAT instance with a NAT gateway that spans multiple Availability Zones. Update the route tables.

Question # 3

A company requires all employees to access secrets via Systems Manager Parameter Store with rotation every 60 days.

The company must add a new secret for an Amazon ElastiCache Redis cluster.

Which solution meets these requirements with the LEAST operational overhead?

Create the secret in Secrets Manager with managed rotation (60 days). Reference via Parameter Store path.

Create the secret in Parameter Store with automatic rotation (unsupported).

Create the secret in Parameter Store and Lambda rotation (manual).

Create the secret in Secrets Manager with Lambda rotation using Redis rotation template and 60-day schedule. Reference via Parameter Store path.

Question # 4

A company is implementing a standardized security baseline across its AWS accounts. The accounts are in an organization in AWS Organizations. The company must deploy consistent IAM roles and policies across all existing and future accounts in the organization. Which solution will meet these requirements with the MOST operational efficiency?

Enable AWS Control Tower in the management account. Configure AWS Control Tower Account Factory customization to deploy the required IAM roles and policies to all accounts.

Activate trusted access for AWS CloudFormation StackSets in Organizations. In the management account, create a stack set that has service-managed permissions to deploy the required IAM roles and policies to all accounts. Enable automatic deployment for the stack set.

In each member account, create IAM roles that have permissions to create and manage resources. In the management account, create an AWS CloudFormation stack set that has self-managed permissions to deploy the required IAM roles and policies to all accounts. Enable automatic deployment for the stack set.

In the management account, create an AWS CodePipeline pipeline. Configure the pipeline to use AWS CloudFormation to automate the deployment of the required IAM roles and policies. Set up cross-account IAM roles to allow CodePipeline to deploy resources in the member accounts.

Question # 5

A DevOps engineer used an AWS Cloud Formation custom resource to set up AD Connector. The AWS Lambda function ran and created AD Connector, but Cloud Formation is not transitioning from CREATE_IN_PROGRESS to CREATE_COMPLETE.

Which action should the engineer take to resolve this issue?

Ensure the Lambda function code has exited successfully.

Ensure the Lambda function code returns a response to the pre-signed URL.

Ensure the Lambda function IAM role has cloudformation UpdateStack permissions for the stack ARN.

Ensure the Lambda function IAM role has ds ConnectDirectory permissions for the AWS account.

Question # 6

A company sells products through an ecommerce web application The company wants a dashboard that shows a pie chart of product transaction details. The company wants to integrate the dashboard With the company’s existing Amazon CloudWatch dashboards

Which solution Will meet these requirements With the MOST operational efficiency?

Update the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction. Use CloudWatch Logs Insights to query the log group and to visualize the results in a pie chart format Attach the results to the desired CloudWatch dashboard.

Update the ecommerce application to emit a JSON object to an Amazon S3 bucket for each processed transaction. Use Amazon Athena to query the S3 bucket and to visualize the results In a Pie chart format. Export the results from Athena Attach the results to the desired CloudWatch dashboard

Update the ecommerce application to use AWS X-Ray for instrumentation. Create a new X-Ray subsegment Add an annotation for each processed transaction. Use X-Ray traces to query the data and to visualize the results in a pie chart format Attach the results to the desired CloudWatch dashboard

Update the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction_ Create an AWS Lambda function to aggregate and write the results to Amazon DynamoDB. Create a Lambda subscription filter for the log file. Attach the results to the desired CloudWatch dashboard.

Answer:

Explanation:

The correct answer is A.

Option A is correct because it meets the requirements with the most operational efficiency. Updating the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction is a simple and cost-effective way to collect the data needed for the dashboard. Using CloudWatch Logs Insights to query the log group and to visualize the results in a pie chart format is also a convenient and integrated solution that leverages the existing CloudWatch dashboards. Attaching the results to the desired CloudWatch dashboard is straightforward and does not require any additional steps or services.

Option B is incorrect because it introduces unnecessary complexity and cost. Updating the ecommerce application to emit a JSON object to an Amazon S3 bucket for each processed transaction is a valid way to store the data, but it requires creating and managing an S3 bucket and its permissions. Using Amazon Athena to query the S3 bucket and to visualize the results in a pie chart format is also a valid way to analyze the data, but it incurs charges based on the amount of data scanned by each query. Exporting the results from Athena and attaching them to the desired CloudWatch dashboard is also an extra step that adds more overhead and latency.

Option C is incorrect because it uses AWS X-Ray for an inappropriate purpose. Updating the ecommerce application to use AWS X-Ray for instrumentation is a good practice for monitoring and tracing distributed applications, but it is not designed for aggregating product transaction details. Creating a new X-Ray subsegment and adding an annotation for each processed transaction is possible, but it would clutter the X-Ray service map and make it harder to debug performance issues. Using X-Ray traces to query the data and to visualize the results in a pie chart format is also possible, but it would require custom code and logic that are not supported by X-Ray natively. Attaching the results to the desired CloudWatch dashboard is also not supported by X-Ray directly, and would require additional steps or services.

Option D is incorrect because it introduces unnecessary complexity and cost. Updating the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction is a simple and cost-effective way to collect the data needed for the dashboard, as in option A. However, creating an AWS Lambda function to aggregate and write the results to Amazon DynamoDB is redundant, as CloudWatch Logs Insights can already perform aggregation queries on log data. Creating a Lambda subscription filter for the log file is also redundant, as CloudWatch Logs Insights can already access log data directly. Attaching the results to the desired CloudWatch dashboard would also require additional steps or services, as DynamoDB does not support native integration with CloudWatch dashboards.

[References:, CloudWatch Logs Insights, Amazon Athena, AWS X-Ray, AWS Lambda, Amazon DynamoDB, , , , , ]

Question # 7

A company manages a large fleet of Amazon EC2 Linux instances in its production AWS account by using AWS Systems Manager . The EC2 instances must comply with a list of compliance requirements.

The company ' s DevOps engineers wrote Chef cookbooks to detect and remediate configuration deviations. The company does not want to manage a Chef server and agent infrastructure.

The DevOps engineers need to set up the Chef cookbooks to run periodically on the EC2 instances.

Which solution will meet these requirements?

Create a Systems Manager State Manager association . Associate the AWS-ApplyChefRecipes document with all EC2 instances. Configure the association to retrieve the Chef cookbooks from a source repository and to run every hour.

Store the Chef agent installation package in an Amazon S3 bucket. Configure a Systems Manager Run Command to invoke the AWS-InstallApplication command on all instances and to run the repair action. Schedule the Run Command to run every hour.

Create a Systems Manager State Manager association that applies the AWS-RefreshAssociation document to all EC2 instances. Configure the association to run every hour.

Configure a Systems Manager patch policy to run the scan and install operation every hour. Create a patch baseline for the EC2 instances. Configure the instance IAM profile with permissions for patch operations.

Question # 8

A DevOps engineer is working on a member account in an organization in AWS Organizations with all features enabled . The account has sensitive data stored in Amazon S3 buckets.

The DevOps engineer must ensure that all public access to S3 buckets in the account is blocked . If the account-level S3 Block Public Access settings change in the future, the changes must be reverted automatically so that all public access is blocked again.

Which solution meets these requirements?

Enable AWS Security Hub in the account. Enable the Security Hub control to evaluate the account-level Block Public Access settings. Enable automated remediation for the Security Hub control.

Set up AWS Config in the account. Create an AWS Config managed rule that evaluates the account-level Block Public Access settings. Enable automatic remediation for the rule by using a predefined AWS Systems Manager runbook to configure S3 Block Public Access settings.

In the organization’s management account, create an SCP that denies S3 actions from outside the AWS account. Attach the SCP to the member account.

Enable Amazon Macie in the account. Create an Amazon EventBridge rule with an event pattern that matches Macie policy findings. Configure the rule with an EventBridge target to run a predefined AWS Systems Manager runbook to configure S3 Block Public Access settings.

Answer:

Explanation:

Option B is the only choice that directly satisfies both requirements:

Continuously evaluate the account-level S3 Block Public Access setting

AWS Config is designed to record configuration state and evaluate resources/settings against rules over time.

A Config rule (managed rule) can check whether the account-level “S3 Block Public Access” settings are configured as required (i.e., blocking public access).

Automatically revert drift (auto-remediate) if someone changes the setting later

AWS Config Remediation can automatically trigger an AWS Systems Manager Automation runbook when the rule becomes NON_COMPLIANT .

Using an SSM Automation document/runbook that sets S3 account-level Block Public Access back to the required “blocked” configuration ensures that any future change is corrected automatically , restoring compliance without manual intervention.

Why the other options don’t fully meet the requirement:

A (Security Hub) : Security Hub primarily aggregates findings and checks controls. While it can integrate with automation, AWS Config is the standard service for configuration drift detection + automatic remediation loops for account-level posture settings. Security Hub is not the most direct “detect config drift and auto-fix” mechanism for an account setting in the way Config remediation is.

C (SCP) : An SCP can restrict API actions, but it doesn’t “revert” a changed S3 Block Public Access configuration ; it only prevents/limits what actions can be called. Also, “deny S3 actions from outside the account” is not the same as enforcing Block Public Access settings at the account level.

D (Macie + EventBridge) : Macie focuses on data discovery and sensitive data findings , not enforcing or continuously remediating S3 account-level Block Public Access configuration drift. Triggering remediation off Macie findings is indirect and not aligned to “setting changed → immediately revert.”

Question # 9

A company uses AWS Organizations to manage multiple AWS accounts. The accounts are in an OU that has a policy attached to allow all actions. The company is migrating several Git repositories to a specified AWS CodeConnections supported Git provider. The Git repositories manage AWS CloudFormation stacks for application infrastructure that the company deploys across multiple AWS Regions. The company wants a DevOps team to integrate CodeConnections into the CloudFormation stacks. The DevOps team must ensure that company staff members can integrate only with the specified Git provider. The deployment process must be highly available across Regions. Which combination of steps will meet these requirements? (Select THREE.)

Add a new SCP statement to the OU that denies the CodeConnections CreatingConnections action where the provider type is not the specified Git provider.

Add a new SCP statement to the OU that allows the CodeConnections CreatingConnections action where the provider type is the specified Git provider.

Use CodeConnections to configure a single CodeConnections connection to each Git repository.

Use CodeConnections to create a CodeConnections connection from each Region where the company operates to each Git repository.

Use CodeConnections to create a CodeConnections repository link. Update each CloudFormation stack to sync from the Git repository.

For each Git repository, create a pipeline in AWS CodePipeline that has the Git repository set as the source and a CloudFormation deployment stage.

Question # 10

A company is implementing a CI/CD pipeline for an application by using AWS CodePipeline and AWS CodeBuild. The company needs a solution to run unit tests and automatically generate code coverage reports before any code is deployed to production. The CI/CD pipeline execution must fail if the code coverage is less than 80%.

Which solution will meet these requirements?

Create an AWS Lambda function to run unit tests and generate code coverage reports. Add a Lambda invoke action to a stage in the CodePipeline pipeline. Create an Amazon EventBridge scheduled rule to run hourly to monitor the Lambda function ' s output. Configure the rule to fail the pipeline if coverage is less than 80%.

Create an AWS Step Functions workflow to run unit tests and generate code coverage reports. Add a Step Functions test action to a stage in the CodePipeline pipeline to invoke the workflow. Configure the workflow to fail if the code coverage is less than 80%.

Create a CodeBuild project with a buildspec.yml file that includes commands to run unit tests and generate code coverage reports. Add a CodeBuild test action to a stage in the CodePipeline pipeline. Configure the CodeBuild test action to use the source artifacts from the source action as input. Modify the buildspec.yml file to fail the build if coverage is less than 80%.

Create a CodeBuild project with Jenkins installed. Configure Jenkins to run unit tests and generate code coverage reports. Add a Jenkins test action to a stage in the CodePipeline pipeline. Configure the Jenkins test action to output the coverage report as an output artifact. Configure an approval action to fail the pipeline if code coverage is less than 80%.