DOP-C02 Exam Details

  • Exam Code
    :DOP-C02
  • Exam Name
    :AWS Certified DevOps Engineer - Professional (DOP-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :461 Q&As
  • Last Updated
    :Jul 11, 2026

Amazon DOP-C02 Online Questions & Answers

  • Question 31:

    A company is using an AWS CodeBuild project to build and package an application. The packages are copied to a shared Amazon S3 bucket before being deployed across multiple AWS accounts.

    The buildspec.yml file contains the following:

    The DevOps engineer has noticed that anybody with an AWS account is able to download the artifacts. What steps should the DevOps engineer take to stop this?

    A. Modify the post_build command to use --acl public-read and configure a bucket policy that grants read access to the relevant AWS accounts only.
    B. Configure a default ACL for the S3 bucket that defines the set of authenticated users as the relevant AWS accounts only and grants read-only access.
    C. Create an S3 bucket policy that grants read access to the relevant AWS accounts and denies read access to the principal "*".
    D. Modify the post_build command to remove --acl authenticated-read and configure a bucket policy that allows read access to the relevant AWS accounts only.

  • Question 32:

    Ansible supports running Playbook on the host directly or via SSH. How can Ansible be told to run its playbooks directly on the host?

    A. Setting `connection: local' in the tasks that run locally.
    B. Specifying `-type local' on the command line.
    C. It does not need to be specified; it is the default.
    D. Setting `connection: local' in the Playbook.

  • Question 33:

    A company is hosting a static website from an Amazon S3 bucket. The website is available to customers at example.com. The company uses an Amazon Route 53 weighted routing policy with a TTL of 1 day. The company has decided to replace the existing static website with a dynamic web application. The dynamic web application uses an Application Load Balancer (ALB) in front of a fleet of Amazon EC2 instances.

    On the day of production launch to customers, the company creates an additional Route 53 weighted DNS record entry that points to the ALB with a weight of 255 and a TTL of 1 hour. Two days later, a DevOps engineer notices that the previous static website is displayed sometimes when customers navigate to example.com.

    How can the DevOps engineer ensure that the company serves only dynamic content for example.com?

    A. Delete all objects, including previous versions, from the S3 bucket that contains the static website content.
    B. Update the weighted DNS record entry that points to the S3 bucket. Apply a weight of 0. Specify the domain reset option to propagate changes immediately.
    C. Configure webpage redirect requests on the S3 bucket with a hostname that redirects to the ALB.
    D. Remove the weighted DNS record entry that points to the S3 bucket from the example.com hosted zone. Wait for DNS propagation to become complete.

  • Question 34:

    You have deployed an application to AWS which makes use of Autoscaling to launch new instances. You now want to change the instance type for the new instances. Which of the following is one of the action items to achieve this deployment?

    A. Use Elastic Beanstalk to deploy the new application with the new instance type
    B. Use Cloudformation to deploy the new application with the new instance type
    C. Create a new launch configuration with the new instance type
    D. Create new EC2 instances with the new instance type and attach it to the Autoscaling Group

  • Question 35:

    Which tool will Ansible not use, even if available, to gather facts?

    A. facter
    B. lsb_release
    C. Ansible setup module
    D. ohai

  • Question 36:

    An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.

    The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.

    Which combination of steps will meet these requirements? (Choose three.)

    A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
    B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
    C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
    D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
    E. Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
    F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.

  • Question 37:

    A cloud team uses AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On) to manage a company's AWS accounts. The company recently established a research team. The research team requires the ability to fully manage the resources in its account. The research team must not be able to create IAM users.

    The cloud team creates a Research Administrator permission set in IAM Identity Center for the research team. The permission set has the AdministratorAccess AWS managed policy attached. The cloud team must ensure that no one on the research team can create IAM users.

    Which solution will meet these requirements?

    A. Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to the Research Administrator permission set.
    B. Create an IAM policy that allows all actions except the iam:CreateUser action. Use the IAM policy to set the permissions boundary for the Research Administrator permission set.
    C. Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team's AWS account.
    D. Create an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke the Lambda function.

  • Question 38:

    A company is using AWS CodePipeline to deploy an application. According to a new guideline, a member of the company's security team must sign off on any application changes before the changes are deployed into production. The approval must be recorded and retained.

    Which combination of actions will meet these requirements? (Choose two.)

    A. Configure CodePipeline to write actions to Amazon CloudWatch Logs.
    B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of each pipeline stage.
    C. Create an AWS CloudTrail trail to deliver logs to Amazon S3.
    D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval. Create a policy that gives the security team access to manage CodePipeline custom actions.
    E. Create a CodePipeline manual approval action before the deployment step. Create a policy that grants the security team access to approve manual approval stages.

  • Question 39:

    Which answer is the proper syntax for specifying two target hosts on the command line when running an Ansible Playbook?

    A. ansible-playbook -h host1.example.com -i all playbook.yml
    B. ansible-playbook -i host1.example.com playbook.yml
    C. ansible-playbook -h host1.example.com,host2.example.com playbook.yml
    D. ansible-playbook -i host1.example.com,host2.example.com playbook.yml

  • Question 40:

    A company is running a number of internet-facing APIs that use an AWS Lambda authorizer to control access. A security team wants to be alerted when a large number of requests are failing authorization, as this may indicate API abuse. Given the magnitude of API requests, the team wants to be alerted only if the number of HTTP 403 Forbidden responses goes above 2% of overall API calls.

    Which solution will accomplish this?

    A. Use the default Amazon API Gateway 403Error and Count metrics sent to Amazon CloudWatch, and use metric math to create a CloudWatch alarm. Use the (403Error/Count)*100 mathematical expression when defining the alarm. Set the alarm threshold to be greater than 2.
    B. Write a Lambda function that fetches the default Amazon API Gateway 403Error and Count metrics sent to Amazon CloudWatch, calculate the percentage of errors, then push a custom metric to CloudWatch named Custorn403Percent. Create a CloudWatch alarm based on this custom metric. Set the alarm threshold to be greater than 2.
    C. Configure Amazon API Gateway to send custom access logs to Amazon CloudWatch Logs. Create a log filter to produce a custom metric for the HTTP 403 response code named Custom403Error. Use this custom metric and the default API Gateway Count metric sent to CloudWatch, and use metric match to create a CloudWatch alarm. Use the (Custom403Error/Count)*100 mathematical expression when defining the alarm. Set the alarm threshold to be greater than 2.
    D. Configure Amazon API Gateway to enable custom Amazon CloudWatch metrics, enable the ALL_STATUS_CODE option, and define an APICustom prefix. Use CloudWatch metric math to create a CloudWatch alarm. Use the (APICustom403Error/Count)*100 mathematical expression when defining the alarm. Set the alarm threshold to be greater than 2.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your DOP-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.