Amazon DOP-C02 Online Practice Questions and Exam Preparation

Amazon DOP-C02 Online Questions & Answers

• Question 301:

  A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company has enabled all features for the organization. The member accounts under one OU contain S3 buckets that store sensitive data.

  A DevOps engineer wants to ensure that only IAM principals from within the organization can access the S3 buckets in the OU.

  Which solution will meet this requirement?

  A. Create an SCP in the management account of the organization to restrict Amazon S3 actions by using the aws:PrincipalAccount condition. Apply the SCP to the OU.
  B. Create an IAM permissions boundary in the management account of the organization to restrict access to Amazon S3 actions by using the aws:PrincipalOrgID condition.
  C. Configure AWS Resource Access Manager (AWS RAM) to restrict access to S3 buckets in the OU so the S3 buckets cannot be shared outside the organization.
  D. Create a resource control policy (RCP) in the management account of the organization to restrict Amazon S3 actions by using the aws:PrincipalOrgID condition. Apply the RCP to the OU.
  A. Create an SCP in the management account of the organization to restrict Amazon S3 actions by using the aws:PrincipalAccount condition. Apply the SCP to the OU.

• Question 302:

  An online retail company based in the United States plans to expand its operations to Europe and Asia in the next six months. Its product currently runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. All data is stored in an Amazon Aurora database instance.

  When the product is deployed in multiple regions, the company wants a single product catalog across all regions, but for compliance purposes, its customer information and purchases must be kept in each region.

  How should the company meet these requirements with the LEAST amount of application changes?

  A. Use Amazon Redshift for the product catalog and Amazon DynamoDB tables for the customer information and purchases.
  B. Use Amazon DynamoDB global tables for the product catalog and regional tables for the customer information and purchases.
  C. Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases.
  D. Use Aurora for the product catalog and Amazon DynamoDB global tables for the customer information and purchases.
  C. Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases.

• Question 303:

  A company is using AWS Organizations to centrally manage its AWS accounts. The company has turned on AWS Config in each member account by using AWS CloudFormation StackSets. The company has configured trusted access in Organizations for AWS Config and has configured a member account as a delegated administrator account for AWS Config.

  A DevOps engineer needs to implement a new security policy. The policy must require all current and future AWS member accounts to use a common baseline of AWS Config rules that contain remediation actions that are managed from a central account. Non-administrator users who can access member accounts must not be able to modify this common baseline of AWS Config rules that are deployed into each member account.

  Which solution will meet these requirements?

  A. Create a CloudFormation template that contains the AWS Config rules and remediation actions. Deploy the template from the Organizations management account by using CloudFormation StackSets.
  B. Create an AWS Config conformance pack that contains the AWS Config rules and remediation actions. Deploy the pack from the Organizations management account by using CloudFormation StackSets.
  C. Create a CloudFormation template that contains the AWS Config rules and remediation actions. Deploy the template from the delegated administrator account by using AWS Config.
  D. Create an AWS Config conformance pack that contains the AWS Config rules and remediation actions. Deploy the pack from the delegated administrator account by using AWS Config.
  D. Create an AWS Config conformance pack that contains the AWS Config rules and remediation actions. Deploy the pack from the delegated administrator account by using AWS Config.

• Question 304:

  A DevOps engineer needs to implement a solution to install antivirus software on all the Amazon EC2 instances in an AWS account. The EC2 instances run the most recent version of Amazon Linux.

  The solution must detect all instances and must use an AWS Systems Manager document to install the software if the software is not present.

  Which solution will meet these requirements?

  A. Create an association in Systems Manager State Manager. Target all the managed nodes. Include the software in the association. Configure the association to use the Systems Manager document.
  B. Set up AWS Config to record all the resources in the account. Create an AWS Config custom rule to determine if the software is installed on all the EC2 instances. Configure an automatic remediation action that uses the Systems Manager document for noncompliant EC2 instances.
  C. Activate Amazon EC2 scanning on Amazon Inspector to determine if the software is installed on all the EC2 instances. Associate the findings with the Systems Manager document.
  D. Create an Amazon EventBridge rule that uses AWS CloudTrail to detect the Runinstances API call. Configure inventory collection in Systems Manager Inventory to determine if the software is installed on the EC2 instances. Associate the Systems Manager inventory with the Systems Manager document.
  A. Create an association in Systems Manager State Manager. Target all the managed nodes. Include the software in the association. Configure the association to use the Systems Manager document.

• Question 305:

  A company has an organization in AWS Organizations for its multi-account environment. A DevOps engineer is developing an AWS CodeArtifact based strategy for application package management across the organization. Each application team at the company has its own account in the organization. Each application team also has limited access to a centralized shared services account.

  Each application team needs full access to download, publish, and grant access to its own packages. Some common library packages that the application teams use must also be shared with the entire organization.

  Which combination of steps will meet these requirements with the LEAST administrative overhead? (Choose three.)

  A. Create a domain in each application team's account. Grant each application team's account full read access and write access to the application team's domain.
  B. Create a domain in the shared services account. Grant the organization read access and CreateRepository access.
  C. Create a repository in each application team's account. Grant each application team's account full read access and write access to its own repository.
  D. Create a repository in the shared services account. Grant the organization read access to the repository in the shared services account Set the repository as the upstream repository in each application team's repository.
  E. For teams that require shared packages, create resource-based policies that allow read access to the repository from other application teams' accounts.
  F. Set the other application teams' repositories as upstream repositories.
  B. Create a domain in the shared services account. Grant the organization read access and CreateRepository access.
  C. Create a repository in each application team's account. Grant each application team's account full read access and write access to its own repository.
  D. Create a repository in the shared services account. Grant the organization read access to the repository in the shared services account Set the repository as the upstream repository in each application team's repository.

• Question 306:

  A company maintains a stateless web application that is experiencing inconsistent traffic. The company uses AWS CloudFormation to deploy the application. The application runs on Amazon EC2 On-Demand Instances behind an Application

  Load Balancer (ALB). The instances run across multiple Availability Zones.

  The company wants to Include the use of Spot Instances while continuing to use a small number of On-Demand Instances to ensure that the application remains highly available.

  What is the MOST cost-effective solution that meets these requirements?

  A. Add a Spot block resource to the AWS CloudFormation template. Use the diversified allocation strategy with step scaling behind the ALB.
  B. Add a Spot block resource to the AWS CloudFormation template. Use the lowest-price allocation strategy with target tracking scaling behind the ALB.
  C. Add a Spot Fleet resource to the AWS CloudFormation template. Use the capacity-optimized allocation strategy with step scaling behind the ALB.
  D. Add a Spot Fleet resource to the AWS CloudFormation template. Use the diversified allocation strategy with scheduled scaling behind the ALB.
  C. Add a Spot Fleet resource to the AWS CloudFormation template. Use the capacity-optimized allocation strategy with step scaling behind the ALB.

  ---

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-configuration-strategies.html

• Question 307:

  A company is building a serverless application that uses AWS Lambda functions to process data.

  A BeginResponse Lambda function initializes data in response to specific application events. The company needs to ensure that a large number of Lambda functions are invoked after the BeginResponse Lambda function runs. Each Lambda function must be invoked in parallel and depends on only the outputs of the BeginResponse Lambda function. Each Lambda function has retry logic for invocation and must be able to fine-tune concurrency without losing data.

  Which solution will meet these requirements with the MOST operational efficiency?

  A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Modify the BeginResponse Lambda function to publish to the SNS topic before the BeginResponse Lambda function finishes running. Subscribe all Lambda functions that need to invoke after the BeginResponse Lambda function runs to the SNS topic. Subscribe any new Lambda functions to the SNS topic.
  B. Create an Amazon Simple Queue Service (Amazon SQS) queue for each Lambda function that needs to run after the BeginResponse Lambda function runs. Subscribe each Lambda function to its own SQS queue. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe each SQS queue to the SNS topic. Modify the BeginResponse function to publish to the SNS topic when it finishes running.
  C. Create an Amazon Simple Queue Service (Amazon SQS) queue for each Lambda function that needs to run after the BeginResponse Lambda function runs. Subscribe the Lambda function to the SQS queue. Create an Amazon Simple Notification Service (Amazon SNS) topic for each SQS queue. Subscribe the SQS queues to the SNS topics. Modify the BeginResponse function to publish to the SNS topics when the function finishes running.
  D. Create an AWS Step Functions Standard Workflow. Configure states in the workflow to invoke the Lambda functions sequentially. Create an Amazon Simple Notification Service (Amazon SNS) topic. Modify the BeginResponse Lambda function to publish to the SNS topic before the Lambda function finishes running. Create a new Lambda function that is subscribed to the SNS topic and that invokes the Step Functions workflow.
  B. Create an Amazon Simple Queue Service (Amazon SQS) queue for each Lambda function that needs to run after the BeginResponse Lambda function runs. Subscribe each Lambda function to its own SQS queue. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe each SQS queue to the SNS topic. Modify the BeginResponse function to publish to the SNS topic when it finishes running.

• Question 308:

  You currently have the following setup in AWS:

  1) An Elastic Load Balancer 2) Auto Scaling Group which launches EC2 Instances 3) AMIs with your code pre-installed You want to deploy the updates of your app to only a certain number of users. You want to have a cost-effective solution. You should also be able to revert back quickly.

  Which of the below solutions is the most feasible one?

  A. Create a second ELB, and a new Auto Scaling Group assigned a new Launch Configuration. Create a new AMI with the updated app. Use Route53 Weighted Round Robin records to adjust the proportion of traffic hitting the two ELBs.
  B. Create new AMIs with the new app. Then use the new EC2 instances in half proportion to the older instances.
  C. Redeploy with AWS Elastic Beanstalk and Elastic Beanstalk versions. Use Route 53 Weighted Round Robin records to adjust the proportion of traffic hitting the two ELBs
  D. Create a full second stack of instances, cut the DNS over to the new stack of instances, and change the DNS back if a rollback is needed.
  A. Create a second ELB, and a new Auto Scaling Group assigned a new Launch Configuration. Create a new AMI with the updated app. Use Route53 Weighted Round Robin records to adjust the proportion of traffic hitting the two ELBs.

  ---

  The Weighted Routing policy of Route53 can be used to direct a proportion of traffic to your application. The best option is to create a second CLB, attach the new Autoscaling Group and then use Route53 to divert the traffic. Option B is wrong because just having EC2 instances running with the new code will not help. Option C is wrong because Clastic beanstalk is good for development environments, and also there is no mention of having 2 environments where environment urls can be swapped. Option D is wrong because you still need Route53 to split the traffic.

• Question 309:

  As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an account that is very active can generate a large number of notifications. If you subscribe using email or SMS, you may end up receiving a large volume of messages. Which of the following should you use to handle notifications programmatically?

  A. Amazon Kinesis Firehose
  B. Amazon Simple Queue Service (Amazon SQS)
  C. Amazon Simple Email Service (Amazon SES)
  D. Amazon AppStream
  B. Amazon Simple Queue Service (Amazon SQS)

  ---

  As CloudTrail sends a notification each time a log file is written to the Amazon S3 bucket, an account that's very active can generate a large number of notifications. If you subscribe using email or SMS, you can end up receiving more messages than you can handle. AWS recommends that you subscribe using Amazon Simple Queue Service (Amazon SQS), which lets you handle notifications programmatically. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_configuration.html

• Question 310:

  A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host its machine learning (ML) application. As the ML model and the container image size grow, the time that new pods take to start up has increased to several minutes.

  A DevOps engineer needs to reduce the startup time to seconds. The solution must also reduce the startup time to seconds when the pod runs on nodes that were recently added to the cluster.

  The DevOps engineer creates an Amazon EventBridge rule that invokes an automation in AWS Systems Manager. The automation prefetches the container images from an Amazon Elastic Container Registry (Amazon ECR) repository when new images are pushed to the repository. The DevOps engineer also configures tags to be applied to the cluster and the node groups.

  What should the DevOps engineer do next to meet the requirements?

  A. Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster's control plane nodes. Create a Systems Manager State Manager association that uses the control plane nodes' tags to prefetch corresponding container images.
  B. Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster's nodes. Create a Systems Manager State Manager association that uses the nodes' machine size to prefetch corresponding container images.
  C. Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster's nodes. Create a Systems Manager State Manager association that uses the nodes' tags to prefetch corresponding container images.
  D. Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster's control plane nodes. Create a Systems Manager State Manager association that uses the nodes' tags to prefetch corresponding container images.
  C. Create an IAM role that has a policy that allows EventBridge to use Systems Manager to run commands in the EKS cluster's nodes. Create a Systems Manager State Manager association that uses the nodes' tags to prefetch corresponding container images.