Amazon DOP-C01 Online Practice Questions and Exam Preparation

Amazon DOP-C01 Online Questions & Answers

• Question 361:

  A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

  Which solution will meet these requirements?

  A. Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.
  B. Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.
  C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an AWS Lambda function target. The function will check the user name account against an exception list. If the user is not in the exception list, the function will delete the user.
  D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an AWS Lambda function target. The function will check the user name and account against an exception list. If the user is not in the exception list, the function will delete the user.
  A. Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.

• Question 362:

  What is server immutability?

  A. Not updating a server after creation.
  B. The ability to change server counts.
  C. Updating a server after creation.
  D. The inability to change server counts.
  A. Not updating a server after creation.

  ---

  ... disposable upgrades offer a simpler way to know if your application has unknown dependencies. The underlying EC2 instance usage is considered temporary or ephemeral in nature for the period of deployment until the current release is active. During the new release, a new set of EC2 instances are rolled out by terminating older instances. This type of upgrade technique is more common in an immutable infrastructure. Reference: https://d0.awsstatic.com/whitepapers/overview-of-deployment-options-on-aws.pdf

• Question 363:

  Which deployment method, when using AWS Auto Scaling Groups and Auto Scaling Launch Configurations, enables the shortest time to live for individual servers?

  A. Pre-baking AMIs with all code and configuration on deploys.
  B. Using a Dockerfile bootstrap on instance launch.
  C. Using UserData bootstrapping scripts.
  D. Using AWS EC2 Run Commands to dynamically SSH into fleets.
  A. Pre-baking AMIs with all code and configuration on deploys.

  ---

  Note that the bootstrapping process can be slower if you have a complex application or multiple applications to install. Managing a fleet of applications with several build tools and dependencies can be a challenging task during rollouts. Furthermore, your deployment service should be designed to do faster rollouts to take advantage of Auto Scaling. Prebaking is a process of embedding a significant portion of your application artifacts within your base AMI. During the deployment process you can customize application installations by using EC2 instance artifacts such as instance tags, instance metadata, and Auto Scaling groups.

  Reference: https://d0.awsstatic.com/whitepapers/overview-of-deployment-options-on-aws.pdf

• Question 364:

  A user is creating a new EBS volume from an existing snapshot. The snapshot size shows 10 GB. Can the user create a volume of 30 GB from that snapshot?

  A. Provided the original volume has set the change size attribute to true
  B. Yes
  C. Provided the snapshot has the modify size attribute set as true
  D. No
  B. Yes

  ---

  A user can always create a new EBS volume of a higher size than the original snapshot size. The user cannot create a volume of a lower size. When the new volume is created the size in the instance will be shown as the original size. The user needs to change the size of the device with resize2fs or other OS specific commands.

• Question 365:

  A company mandates the creation of capture logs for everything running in its AWS account. The account has multiple VPCs with Amazon EC2 instances, Application Load Balancers, Amazon RDS MySQL databases, and AWS WAF rules configured. The logs must be protected from deletion. A daily visual analysis of log anomalies from the previous day is required. Which combination of actions should a DevOps Engineer take to accomplish this? (Choose three.)

  A. Configure an AWS Lambda function to send all CloudWatch logs to an Amazon S3 bucket. Create a dashboard report in Amazon QuickSight.
  B. Configure AWS CloudTrail to send all logs to Amazon Inspector. Create a dashboard report in Amazon QuickSight.
  C. Configure Amazon S3 MFA Delete on the logging Amazon S3 bucket.
  D. Configure an Amazon S3 object lock legal hold on the logging Amazon S3 bucket.
  E. Configure AWS Artifact to send all logs to the logging Amazon S3 bucket. Create a dashboard report in Amazon QuickSight.
  F. Deploy an Amazon CloudWatch agent to all Amazon EC2 instances.
  A. Configure an AWS Lambda function to send all CloudWatch logs to an Amazon S3 bucket. Create a dashboard report in Amazon QuickSight.
  D. Configure an Amazon S3 object lock legal hold on the logging Amazon S3 bucket.
  F. Deploy an Amazon CloudWatch agent to all Amazon EC2 instances.

• Question 366:

  A company used AWS CloudFormation to deploy a three-tier web application that stores data in an Amazon RDS MySQL Multi-AZ DB instance. A DevOps Engineer must upgrade the RDS instance to the latest major version of MySQL while incurring minimal downtime. How should the Engineer upgrade the instance while minimizing downtime?

  A. Update the EngineVersion property of the AWS::RDS::DBInstance resource type in the CloudFormation template to the latest desired version. Launch a second stack and make the new RDS instance a read replica.
  B. Update the DBEngineVersion property of the AWS:: RDS::DBInstance resource type in the CloudFormation template to the latest desired version. Perform an Update Stack operation. Create a new RDS Read Replicas resource with the same properties as the instance to be upgraded. Perform a second Update Stack operation.
  C. Update the DBEngineVersion property of the AWS::RDS::DBInstance resource type in the CloudFormation template to the latest desired version. Create a new RDS Read Replicas resource with the same properties as the instance to be upgraded. Perform an Update Stack operation.
  D. Update the EngineVersion property of the AWS::RDS::DBInstance resource type in the CloudFormation template to the latest version, and perform an Update Stack operation.
  A. Update the EngineVersion property of the AWS::RDS::DBInstance resource type in the CloudFormation template to the latest desired version. Launch a second stack and make the new RDS instance a read replica.

• Question 367:

  Your application stores sensitive information on an EBS volume attached to your EC2 instance. How can you protect your information? (Choose two.)

  A. Unmount the EBS volume, take a snapshot and encrypt the snapshot. Re-mount the Amazon EBS volume.
  B. It is not possible to encrypt an EBS volume, you must use a lifecycle policy to transfer data to S3 for encryption.
  C. Copy the unencrypted snapshot and check the box to encrypt the new snapshot. Volumes restored from this encrypted snapshot will also be encrypted.
  D. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
  C. Copy the unencrypted snapshot and check the box to encrypt the new snapshot. Volumes restored from this encrypted snapshot will also be encrypted.
  D. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.

  ---

  These steps are given in the AWS documentation

  To migrate data between encrypted and unencrypted volumes

  1) Create your destination volume (encrypted or unencrypted, depending on your need).

  2) Attach the destination volume to the instance that hosts the data to migrate.

  3) Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use. For Linux instances, you can create a mount point at /mnt/destination and mount the destination volume there.

  4) Copy the data from your source directory to the destination volume. It may be most convenient to use a bulk-copy utility for this.

  To encrypt a volume's data by means of snapshot copying

  1) Create a snapshot of your unencrypted CBS volume. This snapshot is also unencrypted.

  2) Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.

  3) Restore the encrypted snapshot to a new volume, which is also encrypted.

• Question 368:

  How does Amazon RDS multi Availability Zone model work?

  A. A second, standby database is deployed and maintained in a different availability zone from master, using synchronous replication.
  B. A second, standby database is deployed and maintained in a different availability zone from master using asynchronous replication.
  C. A second, standby database is deployed and maintained in a different region from master using asynchronous replication.
  D. A second, standby database is deployed and maintained in a different region from master using synchronous replication.
  A. A second, standby database is deployed and maintained in a different availability zone from master, using synchronous replication.

  ---

  In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html

• Question 369:

  You need to create a simple, holistic check for your system's general availablity and uptime. Your system presents itself as an HTTP-speaking API. What is the most simple tool on AWS to achieve this with?

  A. Route53 Health Checks
  B. CloudWatch Health Checks
  C. AWS ELB Health Checks
  D. EC2 Health Checks
  A. Route53 Health Checks

  ---

  You can create a health check that will run into perpetuity using Route53, in one API call, which will ping your service via HTTP every 10 or 30 seconds. Amazon Route 53 must be able to establish a TCP connection with the endpoint within

  four seconds. In addition, the endpoint must respond with an HTTP status code of 200 or greater and less than 400 within two seconds after connecting.

  Reference:

  http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of-endpoint s.html

• Question 370:

  Which of these techniques enables the fastest possible rollback times in the event of a failed deployment?

  A. Rolling; Immutable
  B. Rolling; Mutable
  C. Canary or A/B
  D. Blue-Green
  D. Blue-Green

  ---

  AWS specifically recommends Blue-Green for super-fast, zero-downtime deploys - and thus rollbacks, which are redeploying old code. You use various strategies to migrate the traffic from your current application stack (blue) to a new version of the application (green). This is a popular technique for deploying applications with zero downtime.

  Reference: https://d0.awsstatic.com/whitepapers/overview-of-deployment-options-onaws.pdf