Amazon DOP-C02 Online Practice
Questions and Exam Preparation
DOP-C02 Exam Details
Exam Code
:DOP-C02
Exam Name
:AWS Certified DevOps Engineer - Professional (DOP-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:461 Q&As
Last Updated
:Jul 11, 2026
Amazon DOP-C02 Online Questions &
Answers
Question 31:
A company is using an AWS CodeBuild project to build and package an application. The packages are copied to a shared Amazon S3 bucket before being deployed across multiple AWS accounts.
The buildspec.yml file contains the following:
The DevOps engineer has noticed that anybody with an AWS account is able to download the artifacts. What steps should the DevOps engineer take to stop this?
A. Modify the post_build command to use --acl public-read and configure a bucket policy that grants read access to the relevant AWS accounts only. B. Configure a default ACL for the S3 bucket that defines the set of authenticated users as the relevant AWS accounts only and grants read-only access. C. Create an S3 bucket policy that grants read access to the relevant AWS accounts and denies read access to the principal "*". D. Modify the post_build command to remove --acl authenticated-read and configure a bucket policy that allows read access to the relevant AWS accounts only.
D. Modify the post_build command to remove --acl authenticated-read and configure a bucket policy that allows read access to the relevant AWS accounts only. Explanation Explanation/Reference:When setting the flag authenticated-read in the command line, the owner gets FULL_CONTROL. The AuthenticatedUsers group (Anyone with an AWS account) gets READ access. https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html
Question 32:
Ansible supports running Playbook on the host directly or via SSH. How can Ansible be told to run its playbooks directly on the host?
A. Setting `connection: local' in the tasks that run locally. B. Specifying `-type local' on the command line. C. It does not need to be specified; it is the default. D. Setting `connection: local' in the Playbook.
D. Setting `connection: local' in the Playbook. Ansible can be told to run locally on the command line with the `-c' option or can be told via the `connection: local' declaration in the playbook. The default connection method is `remote'. http://docs.ansible.com/ansible/intro_inventory.html#non-ssh-connection-types
Question 33:
A company is hosting a static website from an Amazon S3 bucket. The website is available to customers at example.com. The company uses an Amazon Route 53 weighted routing policy with a TTL of 1 day. The company has decided to replace the existing static website with a dynamic web application. The dynamic web application uses an Application Load Balancer (ALB) in front of a fleet of Amazon EC2 instances.
On the day of production launch to customers, the company creates an additional Route 53 weighted DNS record entry that points to the ALB with a weight of 255 and a TTL of 1 hour. Two days later, a DevOps engineer notices that the previous static website is displayed sometimes when customers navigate to example.com.
How can the DevOps engineer ensure that the company serves only dynamic content for example.com?
A. Delete all objects, including previous versions, from the S3 bucket that contains the static website content. B. Update the weighted DNS record entry that points to the S3 bucket. Apply a weight of 0. Specify the domain reset option to propagate changes immediately. C. Configure webpage redirect requests on the S3 bucket with a hostname that redirects to the ALB. D. Remove the weighted DNS record entry that points to the S3 bucket from the example.com hosted zone. Wait for DNS propagation to become complete.
D. Remove the weighted DNS record entry that points to the S3 bucket from the example.com hosted zone. Wait for DNS propagation to become complete.
Question 34:
You have deployed an application to AWS which makes use of Autoscaling to launch new instances. You now want to change the instance type for the new instances. Which of the following is one of the action items to achieve this deployment?
A. Use Elastic Beanstalk to deploy the new application with the new instance type B. Use Cloudformation to deploy the new application with the new instance type C. Create a new launch configuration with the new instance type D. Create new EC2 instances with the new instance type and attach it to the Autoscaling Group
C. Create a new launch configuration with the new instance type The ideal way is to create a new launch configuration, attach it to the existing Auto Scaling group, and terminate the running instances. Option A is invalid because Clastic beanstalk cannot launch new instances on demand. Since the current scenario requires Autoscaling, this is not the ideal option Option B is invalid because this will be a maintenance overhead, since you just have an Autoscaling Group. There is no need to create a whole Cloudformation template for this. Option D is invalid because Autoscaling Group will still launch CC2 instances with the older launch configuration.
Question 35:
Which tool will Ansible not use, even if available, to gather facts?
A. facter B. lsb_release C. Ansible setup module D. ohai
B. lsb_release Explanation Explanation/Reference:Ansible will use its own `setup' module to gather facts for the local system. Additionally, if ohai or facter are installed, those will also be used and all variables will be prefixed with `ohai_' or `facter_' respectively. `lsb_relase' is a Linux tool for determining distribution information. http://docs.ansible.com/ansible/setup_module.html
Question 36:
An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)
A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key. B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions. C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center. D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies. E. Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs. F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.
B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions. C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center. F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs. Using the principalTag in the Permission Set inline policy a logged in user belonging to a specific AD group in the IDP can be permitted access to perform operations on certain resources if their group matches the group used in the PrincipleTag. Basically you are narrowing the scope of privileges assigned via Permission policies conditionally based on whether the logged in user belongs to a specific AD Group in IDP. The mapping of the AD group to the request attributes can be done using SSO attributes where we can pass other attributes like the SAML token as well. https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html
Question 37:
A cloud team uses AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On) to manage a company's AWS accounts. The company recently established a research team. The research team requires the ability to fully manage the resources in its account. The research team must not be able to create IAM users.
The cloud team creates a Research Administrator permission set in IAM Identity Center for the research team. The permission set has the AdministratorAccess AWS managed policy attached. The cloud team must ensure that no one on the research team can create IAM users.
Which solution will meet these requirements?
A. Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to the Research Administrator permission set. B. Create an IAM policy that allows all actions except the iam:CreateUser action. Use the IAM policy to set the permissions boundary for the Research Administrator permission set. C. Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team's AWS account. D. Create an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke the Lambda function.
C. Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team's AWS account.
Question 38:
A company is using AWS CodePipeline to deploy an application. According to a new guideline, a member of the company's security team must sign off on any application changes before the changes are deployed into production. The approval must be recorded and retained.
Which combination of actions will meet these requirements? (Choose two.)
A. Configure CodePipeline to write actions to Amazon CloudWatch Logs. B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of each pipeline stage. C. Create an AWS CloudTrail trail to deliver logs to Amazon S3. D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval. Create a policy that gives the security team access to manage CodePipeline custom actions. E. Create a CodePipeline manual approval action before the deployment step. Create a policy that grants the security team access to approve manual approval stages.
C. Create an AWS CloudTrail trail to deliver logs to Amazon S3. E. Create a CodePipeline manual approval action before the deployment step. Create a policy that grants the security team access to approve manual approval stages. AWS CodePipeline is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in CodePipeline;. CloudTrail captures all API calls for CodePipeline as events. The calls captured include calls from the CodePipeline console and code calls to the CodePipeline API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for CodePipeline. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to CodePipeline, the IP address from which the request was made, who made the request, when it was made, and additional details. https://docs.aws.amazon.com/codepipeline/latest/userguide/monitoring-cloudtrail-logs.html
Question 39:
Which answer is the proper syntax for specifying two target hosts on the command line when running an Ansible Playbook?
A. ansible-playbook -h host1.example.com -i all playbook.yml B. ansible-playbook -i host1.example.com playbook.yml C. ansible-playbook -h host1.example.com,host2.example.com playbook.yml D. ansible-playbook -i host1.example.com,host2.example.com playbook.yml
D. ansible-playbook -i host1.example.com,host2.example.com playbook.yml Ansible uses the `-i' flag for accepting an inventory file or host. To allow Ansible to determine if you are passing a host list versus an inventory file the list must be comma separated. If a single host is specified, a trailing comma must be present. http://docs.ansible.com/ansible/intro_inventory.html#inventory
Question 40:
A company is running a number of internet-facing APIs that use an AWS Lambda authorizer to control access. A security team wants to be alerted when a large number of requests are failing authorization, as this may indicate API abuse. Given the magnitude of API requests, the team wants to be alerted only if the number of HTTP 403 Forbidden responses goes above 2% of overall API calls.
Which solution will accomplish this?
A. Use the default Amazon API Gateway 403Error and Count metrics sent to Amazon CloudWatch, and use metric math to create a CloudWatch alarm. Use the (403Error/Count)*100 mathematical expression when defining the alarm. Set the alarm threshold to be greater than 2. B. Write a Lambda function that fetches the default Amazon API Gateway 403Error and Count metrics sent to Amazon CloudWatch, calculate the percentage of errors, then push a custom metric to CloudWatch named Custorn403Percent. Create a CloudWatch alarm based on this custom metric. Set the alarm threshold to be greater than 2. C. Configure Amazon API Gateway to send custom access logs to Amazon CloudWatch Logs. Create a log filter to produce a custom metric for the HTTP 403 response code named Custom403Error. Use this custom metric and the default API Gateway Count metric sent to CloudWatch, and use metric match to create a CloudWatch alarm. Use the (Custom403Error/Count)*100 mathematical expression when defining the alarm. Set the alarm threshold to be greater than 2. D. Configure Amazon API Gateway to enable custom Amazon CloudWatch metrics, enable the ALL_STATUS_CODE option, and define an APICustom prefix. Use CloudWatch metric math to create a CloudWatch alarm. Use the (APICustom403Error/Count)*100 mathematical expression when defining the alarm. Set the alarm threshold to be greater than 2.
C. Configure Amazon API Gateway to send custom access logs to Amazon CloudWatch Logs. Create a log filter to produce a custom metric for the HTTP 403 response code named Custom403Error. Use this custom metric and the default API Gateway Count metric sent to CloudWatch, and use metric match to create a CloudWatch alarm. Use the (Custom403Error/Count)*100 mathematical expression when defining the alarm. Set the alarm threshold to be greater than 2. https://aws.amazon.com/blogs/compute/analyzing-api-gateway-custom-access-logs-for-custom-domain-names/
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your DOP-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.