Amazon DOP-C01 Online Practice Questions and Exam Preparation

Amazon DOP-C01 Online Questions & Answers

• Question 401:

  You are designing a service that aggregates clickstream data in batch and delivers reports to subscribers via email only once per week. Data is extremely spikey, geographically distributed, high-scale, and unpredictable. How should you design this system?

  A. Use a large RedShift cluster to perform the analysis, and a fleet of Lambdas to perform record inserts into the RedShift tables. Lambda will scale rapidly enough for the traffic spikes.
  B. Use a CloudFront distribution with access log delivery to S3. Clicks should be recorded as querystring GETs to the distribution. Reports are built and sent by periodically running EMR jobs over the access logs in S3.
  C. Use API Gateway invoking Lambdas which PutRecords into Kinesis, and EMR running Spark performing GetRecords on Kinesis to scale with spikes. Spark on EMR outputs the analysis to S3, which are sent out via email.
  D. Use AWS Elasticsearch service and EC2 Auto Scaling groups. The Autoscaling groups scale based on click throughput and stream into the Elasticsearch domain, which is also scalable. Use Kibana to generate reports periodically.
  B. Use a CloudFront distribution with access log delivery to S3. Clicks should be recorded as querystring GETs to the distribution. Reports are built and sent by periodically running EMR jobs over the access logs in S3.

  ---

  Because you only need to batch analyze, anything using streaming is a waste of money. CloudFront is a Gigabit-Scale HTTP(S) global request distribution service, so it can handle scale, geo-spread, spikes, and unpredictability. The Access

  Logs will contain the GET data and work just fine for batch analysis and email using EMR.

  Can I use Amazon CloudFront if I expect usage peaks higher than 10 Gbps or 15,000 RPS? Yes. Complete our request for higher limits here, and we will add more capacity to your account within two business days.

  Reference: https://aws.amazon.com/cloudfront/faqs/

• Question 402:

  Which resource cannot be defined in an Ansible Playbook?

  A. Fact Gathering State
  B. Host Groups
  C. Inventory File
  D. Variables
  C. Inventory File

  ---

  Ansible's inventory can only be specified on the command line, the Ansible configuration file or in environment variables.

  Reference: http://docs.ansible.com/ansible/intro_inventory.html

• Question 403:

  A DevOps Engineer is leading the implementation for automating patching of Windows-based workstations in a hybrid cloud environment by using AWS Systems Manager (SSM). What steps should the Engineer follow to set up Systems Manager to automate patching in this environment? (Choose two.)

  A. Create multiple IAM service roles for Systems Manager so that the ssm.amazonaws.com service can execute the AssumeRole operation on every instance. Register the role on a per-resource level to enable the creation of a service token. Perform managed-instance activation with the newly created service role attached to each managed instance.
  B. Create an IAM service role for Systems Manager so that the ssm.amazonaws.com service can execute the AssumeRole operation. Register the role to enable the creation of a service token. Perform managed-instance activation with the newly created service role.
  C. Using previously obtained activation codes and activation IDs, download and install the SSM Agent on the hybrid servers, and register the servers or virtual machines on the Systems Manager service. Hybrid instances will show with an "mi-" prefix in the SSM console.
  D. Using previously obtained activation codes and activation IDs, download and install the SSM Agent on the hybrid servers, and register the servers or virtual machines on the Systems Manager service. Hybrid instances will show with an "i-" prefix in the SSM console as if they were provisioned as a regular Amazon EC2 instance.
  E. Run AWS Config to create a list of instances that are unpatched and not compliant. Create an instance scheduler job, and through an AWS Lambda function, perform the instance patching to bring them up to compliance.
  B. Create an IAM service role for Systems Manager so that the ssm.amazonaws.com service can execute the AssumeRole operation. Register the role to enable the creation of a service token. Perform managed-instance activation with the newly created service role.
  C. Using previously obtained activation codes and activation IDs, download and install the SSM Agent on the hybrid servers, and register the servers or virtual machines on the Systems Manager service. Hybrid instances will show with an "mi-" prefix in the SSM console.

• Question 404:

  A government agency is storing highly confidential files in an encrypted Amazon S3 bucket. The agency has configured federated access and has allowed only a particular on-premises Active Directory user group to access this bucket. The agency wants to maintain audit records and automatically detect and revert any accidental changes administrators make to the IAM policies used for providing this restricted federated access. Which of the following options provide the FASTEST way to meet these requirements?

  A. Configure an Amazon CloudWatch Events Event Bus on an AWS CloudTrail API for triggering the AWS Lambda function that detects and reverts the change.
  B. Configure an AWS Config rule to detect the configuration change and execute an AWS Lambda function to revert the change.
  C. Schedule an AWS Lambda function that will scan the IAM policy attached to the federated access role for detecting and reverting any changes.
  D. Restrict administrators in the on-premises Active Directory from changing the IAM policies.
  B. Configure an AWS Config rule to detect the configuration change and execute an AWS Lambda function to revert the change.

• Question 405:

  A company uses federated access for its AWS environment. The available roles are created and managed using AWS CloudFormation from CI/CD pipeline. All changes should be made to the IAM roles through the pipeline. The security team found that changes are being made to the roles out-of-band and would like to detect when this occurs.

  Which action will accomplish this?

  A. Use Amazon Inspector rules to detect and notify when a CloudFormation stack has a configuration change.
  B. Use an AWS Trusted Advisor CloudWatch Events rule to detect and notify when a CloudFormation stack has a configuration change.
  C. Use AWS CloudTrail to detect and notify when a CloudFormation stack has detected a configuration change.
  D. Use an AWS Config rule to detect and notify when a CloudFormation stack has detected a configuration change.
  C. Use AWS CloudTrail to detect and notify when a CloudFormation stack has detected a configuration change.

  ---

  Reference: https://aws.amazon.com/blogs/mt/how-to-track-configuration-changes-to-cloudformation- stacks-using-aws-config/

• Question 406:

  An application runs on Amazon EC2 instances behind an Application Load Balancer. Amazon RDS MySQL is used on the backend. The instances run in an Auto Scaling group across multiple Availability Zones. The Application Load

  Balancer health check ensures the web servers are operating and able to make read/write SQL connections. Amazon Route 53 provides DNS functionality with a record pointing to the Application Load Balancer. A new policy requires a

  geographically isolated disaster recovery site with an RTO of 4 hours and an RPO of 15 minutes.

  Which disaster recovery strategy will require the LEAST amount of changes to the application stack?

  A. Launch a replica stack of everything except RDS in a different Availability Zone. Create an RDS read- only replica in a new Availability Zone and configure the new stack to point to the local RDS instance. Add the new stack to the Route 53 record set with a failover routing policy.
  B. Launch a replica stack of everything except RDS in a different region. Create an RDS read-only replica in a new region and configure the new stack to point to the local RDS instance. Add the new stack to the Route 53 record set with a latency routing policy.
  C. Launch a replica stack of everything except RDS in a different region. Upon failure, copy the snapshot over from the primary region to the disaster recovery region. Adjust the Amazon Route 53 record set to point to the disaster recovery region's Application Load Balancer.
  D. Launch a replica stack of everything except RDS in a different region. Create an RDS read-only replica in a new region and configure the new stack to point to the local RDS instance. Add the new stack to the Amazon Route 53 record set with a failover routing policy.
  D. Launch a replica stack of everything except RDS in a different region. Create an RDS read-only replica in a new region and configure the new stack to point to the local RDS instance. Add the new stack to the Amazon Route 53 record set with a failover routing policy.

• Question 407:

  A DevOps Engineer is deploying an Amazon API Gateway API with an AWS Lambda function providing the backend functionality. The Engineer needs to record the source IP address and response status of every API call.

  Which combination of actions should the DevOps Engineer take to implement this functionality? (Choose three.)

  A. Configure AWS X-Ray to enable access logging for the API Gateway requests.
  B. Configure the API Gateway stage to enable access logging and choose a logging format.
  C. Create a new Amazon CloudWatch Logs log group or choose an existing log group to store the logs.
  D. Grant API Gateway permission to read and write logs to Amazon CloudWatch through an IAM role.
  E. Create a new Amazon S3 bucket or choose an existing S3 bucket to store the logs.
  F. Configure API Gateway to stream its log data to Amazon Kinesis.
  B. Configure the API Gateway stage to enable access logging and choose a logging format.
  C. Create a new Amazon CloudWatch Logs log group or choose an existing log group to store the logs.
  D. Grant API Gateway permission to read and write logs to Amazon CloudWatch through an IAM role.

• Question 408:

  A DevOps Engineer is reviewing a system that uses Amazon EC2 instances in an Auto Scaling group. This system uses a configuration management tool that runs locally on each EC2 instance. Because of the volatility of the application load, new instances must be fully functional within 3 minutes of entering a running state. Current setup tasks include:

  1.

  Installing the configuration management agent ?2 minutes

  2.

  Installing the application framework ?15 minutes

  3.

  Copying configuration data from Amazon S3 ?2 minutes

  4.

  Running the configuration management agent to configure instances ?1 minute

  5.

  Deploying the application code from Amazon S3 ?2 minutes

  How should the Engineer set up the system so it meets the launch time requirement?

  A. Trigger an AWS Lambda function from an Amazon CloudWatch Events rule when a new EC2 instance launches. Have the function install the configuration management agent and the application framework, pull configuration data from Amazon S3, run the agent to configure the instance, and deploy the application from S3.
  B. Write a bootstrap script to install the configuration management agent, install the application framework, pull configuration data from Amazon S3, run the agent to configure the instance, and deploy the application from S3.
  C. Build a custom AMI that includes the configuration management agent and application framework. Write a bootstrap script to pull configuration data from Amazon S3, run the agent to configure the instance, and deploy the application from S3.
  D. Build a custom AMI that includes the configuration management agent, application framework, and configuration data. Write a bootstrap script to run the agent to configure the instance and deploy the application from Amazon S3.
  B. Write a bootstrap script to install the configuration management agent, install the application framework, pull configuration data from Amazon S3, run the agent to configure the instance, and deploy the application from S3.

• Question 409:

  Your development team wants account-level access to production instances in order to do live debugging of a highly secure environment. Which of the following should you do?

  A. Place the credentials provided by Amazon Elastic Compute Cloud (EC2) into a secure Amazon Sample Storage Service (S3) bucket with encryption enabled. Assign AWS Identity and Access Management (IAM) users to each developer so they can download the credentials file.
  B. Place an internally created private key into a secure S3 bucket with server-side encryption using customer keys and configuration management, create a service account on all the instances using this private key, and assign IAM users to each developer so they can download the file.
  C. Place each developer's own public key into a private S3 bucket, use instance profiles and configuration management to create a user account for each developer on all instances, and place the user's public keys into the appropriate account.
  D. Place the credentials provided by Amazon EC2 onto an MFA encrypted USB drive, and physically share it with each developer so that the private key never leaves the office.
  C. Place each developer's own public key into a private S3 bucket, use instance profiles and configuration management to create a user account for each developer on all instances, and place the user's public keys into the appropriate account.

• Question 410:

  By default, Amazon CloudTrail logs ____ actions defined by the CloudTrail ____ APIs.

  A. bucket-level; RESTful
  B. object-level; RESTful
  C. object-level; SDK
  D. bucket-level; SDK
  A. bucket-level; RESTful

  ---

  By default, CloudTrail logs bucket-level actions. Amazon S3 records are written together with other AWS service records in a log file. Amazon S3 bucket-level actions supported for logging by CloudTrail are defined in its RESTful API.

  Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html