Amazon Amazon Certifications DOP-C02 Questions & Answers

• Question 161:

  A DevOps engineer is working on a data archival project that requires the migration of on-premises data to an Amazon S3 bucket. The DevOps engineer develops a script that incrementally archives on-premises data that is older than 1 month to Amazon S3. Data that is transferred to Amazon S3 is deleted from the on-premises location The script uses the S3 PutObject operation.

  During a code review the DevOps engineer notices that the script does not verity whether the data was successfully copied to Amazon S3. The DevOps engineer must update the script to ensure that data is not corrupted during transmission.

  The script must use MD5 checksums to verify data integrity before the on-premises data is deleted. Which solutions for the script will meet these requirements'? (Select TWO.)

  A. Check the returned response for the Versioned Compare the returned Versioned against the MD5 checksum.

  B. Include the MD5 checksum within the Content-MD5 parameter. Check the operation call's return status to find out if an error was returned.

  C. Include the checksum digest within the tagging parameter as a URL query parameter.

  D. Check the returned response for the ETag. Compare the returned ETag against the MD5 checksum.

  E. Include the checksum digest within the Metadata parameter as a name-value pair After upload use the S3 HeadObject operation to retrieve metadata from the object.

  Correct Answer: BD

  https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html

• Question 162:

  A company is using an AWS CodeBuild project to build and package an application. The packages are copied to a shared Amazon S3 bucket before being deployed across multiple AWS accounts. The buildspec.yml file contains the following:

  

  The DevOps engineer has noticed that anybody with an AWS account is able to download the artifacts. What steps should the DevOps engineer take to stop this?

  A. Modify the post_build command to use --acl public-read and configure a bucket policy that grants read access to the relevant AWS accounts only.

  B. Configure a default ACL for the S3 bucket that defines the set of authenticated users as the relevant AWS accounts only and grants read-only access.

  C. Create an S3 bucket policy that grants read access to the relevant AWS accounts and denies read access to the principal "*".

  D. Modify the post_build command to remove --acl authenticated-read and configure a bucket policy that allows read access to the relevant AWS accounts only.

  Correct Answer: D

  When setting the flag authenticated-read in the command line, the owner gets FULL_CONTROL. The AuthenticatedUsers group (Anyone with an AWS account) gets READ access.

  Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

• Question 163:

  A DevOps engineer has automated a web service deployment by using AWS CodePipeline with the following steps:

  1) An AWS CodeBuild project compiles the deployment artifact and runs unit tests.

  2) An AWS CodeDeploy deployment group deploys the web service to Amazon EC2 instances in the staging environment.

  3) A CodeDeploy deployment group deploys the web service to EC2 instances in the production environment.

  The quality assurance (QA) team requests permission to inspect the build artifact before the deployment to the production environment occurs.

  The QA team wants to run an internal penetration testing tool to conduct manual tests. The tool will be invoked by a REST API call.

  Which combination of actions should the DevOps engineer take to fulfill this request? (Choose two.)

  A. Insert a manual approval action between the test actions and deployment actions of the pipeline.

  B. Modify the buildspec.yml file for the compilation stage to require manual approval before completion.

  C. Update the CodeDeploy deployment groups so that they require manual approval to proceed.

  D. Update the pipeline to directly call the REST API for the penetration testing tool.

  E. Update the pipeline to invoke an AWS Lambda function that calls the REST API for the penetration testing tool.

  Correct Answer: AE

• Question 164:

  A company's application is currently deployed to a single AWS Region. Recently, the company opened a new office on a different continent. The users in the new office are experiencing high latency. The company's application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses Amazon DynamoDB as the database layer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. A DevOps engineer is tasked with minimizing application response times and improving availability for users in both Regions.

  Which combination of actions should be taken to address the latency issues? (Choose three.)

  A. Create a new DynamoDB table in the new Region with cross-Region replication enabled.

  B. Create new ALB and Auto Scaling group global resources and configure the new ALB to direct traffic to the new Auto Scaling group.

  C. Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group.

  D. Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB.

  E. Create Amazon Route 53 aliases, health checks, and failover routing policies to route to the ALB.

  F. Convert the DynamoDB table to a global table.

  Correct Answer: CDF

  C. Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group. This will allow users in the new Region to access the application with lower latency by reducing the network hops between the user and the application servers.

  D. Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB. This will enable Route 53 to route user traffic to the nearest healthy ALB, based on the latency between the user and the ALBs. F. Convert the DynamoDB table to a global table. This will enable reads and writes to the table in both Regions with low latency, improving the overall response time of the application

• Question 165:

  A business has an application that consists of five independent AWS Lambda functions.

  The DevOps engineer has built a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild that builds tests packages and deploys each Lambda function in sequence. The pipeline uses an Amazon EventBridge rule to ensure the pipeline

  starts as quickly as possible after a change is made to the application source code.

  After working with the pipeline for a few months the DevOps engineer has noticed the pipeline takes too long to complete.

  What should the DevOps engineer implement to BEST improve the speed of the pipeline?

  A. Modify the CodeBuild projects within the pipeline to use a compute type with more available network throughput.

  B. Create a custom CodeBuild execution environment that includes a symmetric multiprocessing configuration to run the builds in parallel.

  C. Modify the CodePipeline configuration to run actions for each Lambda function in parallel by specifying the same runorder.

  D. Modify each CodeBuild protect to run within a VPC and use dedicated instances to increase throughput.

  Correct Answer: C

  https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html AWS doc: "To specify parallel actions, use the same integer for each action you want to run in parallel. For example, if you want three actions to run in sequence in a stage, you would give the first action the runOrder value of 1, the second action the runOrder value of 2, and the third the runOrder value of 3. However, if you want the second and third actions to run in parallel, you would give the first action the runOrder value of 1 and both the second and third actions the runOrder value of 2."

• Question 166:

  A company is launching an application. The application must use only approved AWS services. The account that runs the application was created less than 1 year ago and is assigned to an AWS Organizations OU.

  The company needs to create a new Organizations account structure. The account structure must have an appropriate SCP that supports the use of only services that are currently active in the AWS account.

  The company will use AWS Identity and Access Management (IAM) Access Analyzer in the solution.

  Which solution will meet these requirements?

  A. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.

  B. Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OIJ. Attach the new SCP to the new OU.

  C. Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization's root.

  D. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.

  Correct Answer: A

  To meet the requirements of creating a new Organizations account structure with an appropriate SCP that supports the use of only services that are currently active in the AWS account, the company should use the following solution: Create an SCP that allows the services that IAM Access Analyzer identifies. IAM Access Analyzer is a service that helps identify potential resource-access risks by analyzing resource-based policies in the AWS environment. IAM Access Analyzer can also generate IAM policies based on access activity in the AWS CloudTrail logs. By using IAM Access Analyzer, the company can create an SCP that grants only the permissions that are required for the application to run, and denies all other services. This way, the company can enforce the use of only approved AWS services and reduce the risk of unauthorized access12 Create an OU for the account. Move the account into the new OU. An OU is a container for accounts within an organization that enables you to group accounts that have similar business or security requirements. By creating an OU for the account, the company can apply policies and manage settings for the account as a group. The company should move the account into the new OU to make it subject to the policies attached to the OU3 Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU. An SCP is a type of policy that specifies the maximum permissions for an organization or organizational unit (OU). By attaching the new SCP to the new OU, the company can restrict the services that are available to all accounts in that OU, including the account that runs the application. The company should also detach the default FullAWSAccess SCP from the new OU, because this policy allows all actions on all AWS services and might override or conflict with the new SCP45 The other options are not correct because they do not meet the requirements or follow best practices. Creating an SCP that denies the services that IAM Access Analyzer identifies is not a good option because it might not cover all possible services that are not approved or required for the application. A deny policy is also more difficult to maintain and update than an allow policy. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the organization's root is not a good option because it might affect other accounts and OUs in the organization that have different service requirements or approvals. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the management account is not a valid option because SCPs cannot be attached directly to accounts, only to OUs or roots. References:

  1: Using AWS Identity and Access Management Access Analyzer -AWS Identity and Access Management

  2: Generate a policy based on access activity -AWS Identity and Access Management

  3: Organizing your accounts into OUs -AWS Organizations

  4: Service control policies -AWS Organizations

  5: How SCPs work -AWS Organizations

• Question 167:

  A company has a new AWS account that teams will use to deploy various applications. The teams will create many Amazon S3 buckets for application- specific purposes and to store AWS CloudTrail logs. The company has enabled Amazon Macie for the account.

  A DevOps engineer needs to optimize the Macie costs for the account without compromising the account's functionality.

  Which solutions will meet these requirements? (Select TWO.)

  A. Exclude S3 buckets that contain CloudTrail logs from automated discovery.

  B. Exclude S3 buckets that have public read access from automated discovery.

  C. Configure scheduled daily discovery jobs for all S3 buckets in the account.

  D. Configure discovery jobs to include S3 objects based on the last modified criterion.

  E. Configure discovery jobs to include S3 objects that are tagged as production only.

  Correct Answer: AD

  To optimize the Macie costs for the account without compromising the account's functionality, the DevOps engineer needs to exclude S3 buckets that do not contain sensitive data from automated discovery. S3 buckets that contain CloudTrail logs are unlikely to have sensitive data, and Macie charges for scanning and monitoring data in S3 buckets. Therefore, excluding S3 buckets that contain CloudTrail logs from automated discovery can reduce Macie costs. Similarly, configuring discovery jobs to include S3 objects based on the last modified criterion can also reduce Macie costs, as it will only scan and monitor new or updated objects, rather than all objects in the bucket.

• Question 168:

  An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.

  The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.

  Which combination of steps will meet these requirements? (Choose three.)

  A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.

  B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.

  C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.

  D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.

  E. Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.

  F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.

  Correct Answer: BCF

  Using the principalTag in the Permission Set inline policy a logged in user belonging to a specific AD group in the IDP can be permitted access to perform operations on certain resources if their group matches the group used in the PrincipleTag. Basically you are narrowing the scope of privileges assigned via Permission policies conditionally based on whether the logged in user belongs to a specific AD Group in IDP. The mapping of the AD group to the request attributes can be done using SSO attributes where we can pass other attributes like the SAML token as well. https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html

• Question 169:

  A company is using AWS CodePipeline to automate its release pipeline. AWS CodeDeploy is being used in the pipeline to deploy an application to Amazon Elastic Container Service (Amazon ECS) using the blue/green deployment model. The company wants to implement scripts to test the green version of the application before shifting traffic. These scripts will complete in 5 minutes or less. If errors are discovered during these tests, the application must be rolled back.

  Which strategy will meet these requirements?

  A. Add a stage to the CodePipeline pipeline between the source and deploy stages. Use AWS CodeBuild to create a runtime environment and build commands in the buildspec file to invoke test scripts. If errors are found, use the aws deploy stop-deployment command to stop the deployment.

  B. Add a stage to the CodePipeline pipeline between the source and deploy stages. Use this stage to invoke an AWS Lambda function that will run the test scripts. If errors are found, use the aws deploy stop-deployment command to stop the deployment.

  C. Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTestTraffic lifecycle event to invoke an AWS Lambda function to run the test scripts. If errors are found, exit the Lambda function with an error to initiate rollback.

  D. Add a hooks section to the CodeDeploy AppSpec file. Use the AfterAllowTraffic lifecycle event to invoke the test scripts. If errors are found, use the aws deploy stop-deployment CLI command to stop the deployment.

  Correct Answer: C

  https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html

• Question 170:

  A company uses a series of individual Amazon Cloud Formation templates to deploy its multi-Region Applications. These templates must be deployed in a specific order. The company is making more changes to the templates than previously

  expected and wants to deploy new templates more efficiently. Additionally, the data engineering team must be notified of all changes to the templates.

  What should the company do to accomplish these goals?

  A. Create an AWS Lambda function to deploy the Cloud Formation templates m the required order Use stack policies to alert the data engineering team.

  B. Host the Cloud Formation templates in Amazon S3 Use Amazon S3 events to directly trigger CloudFormation updates and Amazon SNS notifications.

  C. Implement CloudFormation StackSets and use drift detection to trigger update alerts to the data engineering team.

  D. Leverage CloudFormation nested stacks and stack sets (or deployments Use Amazon SNS to notify the data engineering team.

  Correct Answer: D

  This solution will meet the requirements because it will use CloudFormation nested stacks and stack sets to deploy the templates more efficiently and consistently across multiple regions. Nested stacks allow the company to separate out common components and reuse templates, while stack sets allow the company to create stacks in multiple accounts and regions with a single template. The company can also use Amazon SNS to send notifications to the data engineering team whenever a change is made to the templates or the stacks. Amazon SNS is a service that allows you to publish messages to subscribers, such as email addresses, phone numbers, or other AWS services. By using Amazon SNS, the company can ensure that the data engineering team is aware of all changes to the templates and can take appropriate actions if needed. What is Amazon SNS? -Amazon Simple Notification Service