Amazon DOP-C02 Online Practice
Questions and Exam Preparation
DOP-C02 Exam Details
Exam Code
:DOP-C02
Exam Name
:AWS Certified DevOps Engineer - Professional (DOP-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:461 Q&As
Last Updated
:Jul 11, 2026
Amazon DOP-C02 Online Questions &
Answers
Question 411:
A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWS Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US).
Which combination of actions will meet these requirements? (Choose two.)
A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization. B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions. C. Use an AWS Lambda function that checks for AWS service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region. D. Use an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found. E. Write an SCP using the aws:RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups, and roles.
A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization. B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions. A and B are correct: SCP to restrict and AWS cloutrail to monitor C: Lambda cannot check AWS service activity D: AWS inspector has nothing to do here E: : cannot assign a SCP to all users, groups and roles.
Question 412:
A company's development team uses AWS CloudFormation to deploy its application resources. The team must use it for any changes to the environment. The team cannot use the AWS Management Console or the AWS CLI to make manual changes directly.
The team uses a developer IAM role to access the environment. The role is configured with the AdministratorAccess managed policy. The company has created a new CloudFormationDeployment IAM role that has the following policy.
The company wants to ensure that only CloudFormation can use the new role. The development team cannot make any manual changes to the deployed resources.
Which combination of steps meets these requirements? (Select THREE.)
A. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks. B. Update the trust policy of the CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role. C. Configure the IAM role to be able to get and pass the CloudFormationDeployment role for CloudFormation actions for resources. D. Update the trust policy of the CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action. E. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to assume the CloudFormationDeployment role when they deploy new stacks. F. Add an IAM policy to the CloudFormationDeployment role to allow cloudformation:* on all resources.Add a policy that allows the iam:PassRole action for the ARN, if iam:PassedToService equals cloudformation.amazonaws.com.
A. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks. D. Update the trust policy of the CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action. F. Add an IAM policy to the CloudFormationDeployment role to allow cloudformation:* on all resources.Add a policy that allows the iam:PassRole action for the ARN, if iam:PassedToService equals cloudformation.amazonaws.com. A comprehensive and detailed explanation is: Option A is correct because removing the AdministratorAccess policy and assigning the ReadOnlyAccess managed IAM policy to the developer role is a valid way to prevent the developers from making any manual changes to the deployed resources. The AdministratorAccess policy grants full access to all AWS resources and actions, which is not necessary for the developers. The ReadOnlyAccess policy grants read-only access to most AWS resources and actions, which is sufficient for the developers to view the status of their stacks. Instructing the developers to use the CloudFormationDeployment role as a CloudFormation service role when they deploy new stacks is also a valid way to ensure that only CloudFormation can use the new role. A CloudFormation service role is an IAM role that allows CloudFormation to make calls to resources in a stack on behalf of the user1. The user can specify a service role when they create or update a stack, and CloudFormation will use that role's credentials for all operations that are performed on that stack1. Option B is incorrect because updating the trust of CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The trust of CloudFormationDeployment role should only allow the cloudformation.amazonaws.com AWS principal to assume the role, as in option D. Option C is incorrect because configuring the IAM user to be able to get and pass the CloudFormationDeployment role if cloudformation actions for resources is not a valid solution. This would allow the developers to manually pass the CloudFormationDeployment role to other services or resources, which is not what the company wants. The IAM user should only be able to pass the CloudFormationDeployment role as a service role when they create or update a stack with CloudFormation, as in option A. Option D is correct because updating the trust of CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action is a valid solution. This allows CloudFormation to assume the CloudFormationDeployment role and access resources in other services on behalf of the user2. The trust policy of an IAM role defines which entities can assume the role2. By specifying cloudformation.amazonaws.com as the principal, you grant permission only to CloudFormation to assume this role. Option E is incorrect because instructing the developers to assume the CloudFormationDeployment role when they deploy new stacks is not a valid solution. This would allow the developers to manually assume the CloudFormationDeployment role and perform actions on the deployed resources, which is not what the company wants. The developers should only use the CloudFormationDeployment role as a service role when they deploy new stacks with CloudFormation, as in option A. Option F is correct because adding an IAM policy to CloudFormationDeployment that allows cloudformation:* on all resources and adding a policy that allows the iam:PassRole action for ARN of CloudFormationDeployment if iam:PassedToService equals cloudformation.amazonaws.com are valid solutions. The first policy grants permission for CloudFormationDeployment to perform any action with any resource using cloudformation.amazonaws.com as a service principal3. The second policy grants permission for passing this role only if it is passed by cloudformation.amazonaws.com as a service principal4. This ensures that only CloudFormation can use this role. References: 1: AWS CloudFormation service roles 2: How to use trust policies with IAM roles 3: AWS::IAM::Policy 4: IAM: Pass an IAM role to a specific AWS service
Question 413:
A developer is using the AWS Serverless Application Model (AWS SAM) to create a prototype for an AWS Lambda function. The AWS SAM template contains an AWS::Serverless::Function resource that has the CodeUri property that points to an Amazon S3 location. The developer wants to identify the correct commands for deployment before creating a CI/CD pipeline.
The developer creates an archive of the Lambda function code named package.zip. The developer uploads the .zip file archive to the S3 location specified in the CodeUri property. The developer runs the sam deploy command and deploys the Lambda function. The developer updates the Lambda function code and uses the same steps to deploy the new version of the Lambda function. The sam deploy command fails and returns an error of no changes to deploy.
Which solutions will deploy the new version? (Choose two.)
A. Use the aws cloudformation update-stack command instead of the sam deploy command. B. Use the aws cloudformation update-stack-instances command instead of the sam deploy command. C. Update the CodeUri property to reference the local application code folder. Use the sam deploy command. D. Update the CodeUri property to reference the local application code folder. Use the aws cloudformation create-change-set command and the aws cloudformation execute-change-set command. E. Update the CodeUri property to reference the local application code folder. Use the aws cloudformation package command and the aws cloudformation deploy command.
C. Update the CodeUri property to reference the local application code folder. Use the sam deploy command. E. Update the CodeUri property to reference the local application code folder. Use the aws cloudformation package command and the aws cloudformation deploy command.
Question 414:
A company recently deployed its web application on AWS. The company is preparing for a large-scale sales event and must ensure that the web application can scale to meet the demand.
The application's frontend infrastructure includes an Amazon CloudFront distribution that has an Amazon S3 bucket as an origin. The backend infrastructure includes an Amazon API Gateway API, several AWS Lambda functions, and an Amazon Aurora DB cluster.
The company's DevOps engineer conducts a load test and identifies that the Lambda functions can fulfil the peak number of requests. However, the DevOps engineer notices request latency during the initial burst of requests. Most of the requests to the Lambda functions produce queries to the database. A large portion of the invocation time is used to establish database connections.
Which combination of steps will provide the application with the required scalability? (Choose three.)
A. Configure a higher reserved concurrency for the Lambda functions. B. Configure a higher provisioned concurrency for the Lambda functions. C. Convert the DB cluster to an Aurora global database. Add additional Aurora Replicas in AWS Regions based on the locations of the company's customers. D. Refactor the Lambda functions. Move the code blocks that initialize database connections into the function handlers. E. Use Amazon RDS Proxy to create a proxy for the Aurora database. Update the Lambda functions to use the proxy endpoints for database connections.
B. Configure a higher provisioned concurrency for the Lambda functions. C. Convert the DB cluster to an Aurora global database. Add additional Aurora Replicas in AWS Regions based on the locations of the company's customers. E. Use Amazon RDS Proxy to create a proxy for the Aurora database. Update the Lambda functions to use the proxy endpoints for database connections. Configuring a higher reserved concurrency for the Lambda functions (Option A) ensures that a specific number of Lambda instances are available for your function, but it doesn't address the cold start issue as effectively as provisioned concurrency, nor does it directly address the database connection overhead. Therefore, the most effective combination of steps to provide the required scalability and address the identified issue would be Options B (Provisioned Concurrency), F (Amazon RDS Proxy), and a revised understanding of D that focuses on optimizing connection management for efficiency.
Question 415:
A DevOps engineer is working on a data archival project that requires the migration of on-premises data to an Amazon S3 bucket. The DevOps engineer develops a script that incrementally archives on-premises data that is older than 1 month to Amazon S3. Data that is transferred to Amazon S3 is deleted from the on-premises location The script uses the S3 PutObject operation.
During a code review the DevOps engineer notices that the script does not verity whether the data was successfully copied to Amazon S3. The DevOps engineer must update the script to ensure that data is not corrupted during transmission. The script must use MD5 checksums to verify data integrity before the on-premises data is deleted.
Which solutions for the script will meet these requirements'? (Select TWO.)
A. Check the returned response for the Versioned Compare the returned Versioned against the MD5 checksum. B. Include the MD5 checksum within the Content-MD5 parameter. Check the operation call's return status to find out if an error was returned. C. Include the checksum digest within the tagging parameter as a URL query parameter. D. Check the returned response for the ETag. Compare the returned ETag against the MD5 checksum. E. Include the checksum digest within the Metadata parameter as a name-value pair After upload use the S3 HeadObject operation to retrieve metadata from the object.
B. Include the MD5 checksum within the Content-MD5 parameter. Check the operation call's return status to find out if an error was returned. D. Check the returned response for the ETag. Compare the returned ETag against the MD5 checksum. https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
Question 416:
A company runs hundreds of EC2 instances with new instances launched/terminated hourly. Security requires all running instances to have an instance profile attached. A default profile exists and must be attached automatically to any instance missing one.
Which solution meets this requirement?
A. EventBridge rule for RunInstances API calls, invoke Lambda to attach default profile. B. AWS Config with ec2-instance-profile-attached managed rule, automatic remediation using Systems Manager Automation runbook to attach profile. C. EventBridge rule for StartInstances API calls, invoke Systems Manager Automation runbook to attach profile. D. AWS Config iam-role-managed-policy-check managed rule, automatic remediation with Lambda to attach profile.
B. AWS Config with ec2-instance-profile-attached managed rule, automatic remediation using Systems Manager Automation runbook to attach profile.
Question 417:
Some of your EC2 instances are configured to use a Proxy. Can you use Amazon Inspector for regular assessment of instances behind proxy?
A. Only Windows-based systems are supported as Linux-based systems use custom configurations that are not supported by AWS Agent in the current release. B. Only Linux-based systems are supported, and AWS agent supports HTTPS proxy on these systems. C. No, AWS Agent does NOT support proxy environments. D. Yes, AWS Agent supports proxy environments on both Linux-based and Windows-based systems.
D. Yes, AWS Agent supports proxy environments on both Linux-based and Windows-based systems. The AWS agent supports proxy environments. For Linux instances, Inspector supports HTTPS Proxy, and for Windows instances, it supports WinHTTP proxy. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents.html
Question 418:
A company has an application that runs on Amazon EC2 instances. The company uses an AWS CodePipeline pipeline to deploy the application into multiple AWS Regions. The pipeline is configured with a stage for each Region. Each stage contains an AWS CloudFormation action for each Region.
When the pipeline deploys the application to a Region, the company wants to confirm that the application is in a healthy state before the pipeline moves on to the next Region. Amazon Route 53 record sets are configured for the application in each Region. A DevOps engineer creates a Route 53 health check that is based on an Amazon CloudWatch alarm for each Region where the application is deployed.
What should the DevOps engineer do next to meet the requirements?
A. Create an AWS Step Functions workflow to check the state of the CloudWatch alarm. Configure the Step Functions workflow to exit with an error if the alarm is in the ALARM state. Create a new stage in the pipeline between each Region deployment stage. In each new stage, include an action to invoke the Step Functions workflow. B. Configure an AWS CodeDeploy application to deploy a CloudFormation template with automatic rollback. Configure the CloudWatch alarm as the instance health check for the CodeDeploy application. Remove the CloudFormation actions from the pipeline. Create a CodeDeploy action in the pipeline stage for each Region. C. Create a new pipeline stage for each Region where the application is deployed. Configure a CloudWatch alarm action for the new stage to check the state of the CloudWatch alarm and to exit with an error if the alarm is in the ALARM state D. Configure the CloudWatch agent on the EC2 instances to report the application status to the Route 53 health check. Create a new pipeline stage for each Region where the application is deployed. Configure a CloudWatch alarm action to exit with an error if the CloudWatch alarm is in the ALARM state.
A. Create an AWS Step Functions workflow to check the state of the CloudWatch alarm. Configure the Step Functions workflow to exit with an error if the alarm is in the ALARM state. Create a new stage in the pipeline between each Region deployment stage. In each new stage, include an action to invoke the Step Functions workflow. https://dev.to/aws-builders/dynamic-build-orchestration-using-codepipeline-codebuild-and-step-functions-2kpa
Question 419:
Which services can be used as optional components of setting up a new Trail in CloudTrail?
A. KMS, SNS and SES B. CloudWatch, S3 and SNS C. KMS, Cloudwatch and SNS D. KMS, S3 and CloudWatch
C. KMS, Cloudwatch and SNS Key Management Service: The use of AWS KMS is an optional element of CloudTrail, but it allows additional encryption to be added to your Log files when stored on S3 Simple Notification Service: Amazon SNS is also an optional component for CloudTrail, but it allows for you to create notifications, for example when a new log file is delivered to S3 SNS could notify someone or a team via an e-mail. Or it could be used in conjunction with CloudWatch when metric thresholds have been reached. CloudWatch Logs: Again, this is another optional component, but AWS CloudTrail allows you to deliver its logs to AWS Cloudwatch Logs as well as S3 for specific monitoring metrics to take place. https://cloudacademy.com/amazon-web-services/aws-cloudtrail-introduction-course/how-doesaws-cloudtrail-work.html
Question 420:
Which of the following is an invalid variable name in Ansible?
A. host1st_ref B. host-first-ref C. Host1stRef D. host_first_ref
B. host-first-ref Variable names can contain letters, numbers and underscores and should always start with a letter. Invalid variable examples, `host first ref', `1st_host_ref''. http://docs.ansible.com/ansible/playbooks_variables.html#what-makes-a-valid-variable-name
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your DOP-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.