DOP-C02 Exam Details

  • Exam Code
    :DOP-C02
  • Exam Name
    :AWS Certified DevOps Engineer - Professional (DOP-C02)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :461 Q&As
  • Last Updated
    :Jul 11, 2026

Amazon DOP-C02 Online Questions & Answers

  • Question 431:

    A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The company has many AWS accounts in an organization in AWS Organizations that has all features enabled. The engineer must restrict which AWS Regions the company can use. The engineer must also ensure that an alert is sent as soon as possible if any activity outside the governance policy occurs. The controls must be automatically enabled on any new Region outside the United States.

    Which combination of steps will meet these requirements? (Select TWO.)

    A. Create an Organizations SCP deny policy that has a condition that the aws:RequestedRegion property does not match a list of all US Regions. Include an exception in the policy for global services. Attach the policy to the root of the organization.
    B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs. Enable CloudTrail for all Regions. Use a CloudWatch Logs metric filter to create a metric in non-US Regions. Configure a CloudWatch alarm to send an alert if the metric is greater than 0.
    C. Use an AWS Lambda function that checks for AWS service activity. Deploy the Lambda function to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour. Configure the rule to send an alert if the Lambda function finds any activity in a non-US Region.
    D. Use an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions. Configure the Lambda function to send alerts if Amazon Inspector finds any activity.
    E. Create an Organizations SCP allow policy that has a condition that the aws:RequestedRegion property matches a list of all US Regions. Include an exception in the policy for global services. Attach the policy to the root of the organization.

  • Question 432:

    A company uses an organization in AWS Organizations that has all features enabled. The company uses AWS Backup in a primary account and uses an AWS Key Management Service (AWS KMS) key to encrypt the backups.

    The company needs to automate a cross-account backup of the resources that AWS Backup backs up in the primary account. The company configures cross-account backup in the Organizations management account. The company creates

    a new AWS account in the organization and configures an AWS Backup backup vault in the new account. The company creates a KMS key in the new account to encrypt the backups. Finally, the company configures a new backup plan in the

    primary account. The destination for the new backup plan is the backup vault in the new account.

    When the AWS Backup job in the primary account is invoked, the job creates backups in the primary account. However, the backups are not copied to the new account's backup vault.

    Which combination of steps must the company take so that backups can be copied to the new account's backup vault? (Choose two.)

    A. Edit the backup vault access policy in the new account to allow access to the primary account.
    B. Edit the backup vault access policy in the primary account to allow access to the new account.
    C. Edit the backup vault access policy in the primary account to allow access to the KMS key in the new account.
    D. Edit the key policy of the KMS key in the primary account to share the key with the new account.
    E. Edit the key policy of the KMS key in the new account to share the key with the primary account.

  • Question 433:

    A company is launching an application. The application must use only approved AWS services. The account that runs the application was created less than 1 year ago and is assigned to an AWS Organizations OU.

    The company needs to create a new Organizations account structure. The account structure must have an appropriate SCP that supports the use of only services that are currently active in the AWS account.

    The company will use AWS Identity and Access Management (IAM) Access Analyzer in the solution.

    Which solution will meet these requirements?

    A. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU.
    B. Create an SCP that denies the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OIJ. Attach the new SCP to the new OU.
    C. Create an SCP that allows the services that IAM Access Analyzer identifies. Attach the new SCP to the organization's root.
    D. Create an SCP that allows the services that IAM Access Analyzer identifies. Create an OU for the account. Move the account into the new OU. Attach the new SCP to the management account. Detach the default FullAWSAccess SCP from the new OU.

  • Question 434:

    A DevOps engineer at a company is supporting an AWS environment in which all users use AWS IAM Identity Center (AWS Single Sign-On). The company wants to immediately disable credentials of any new IAM user and wants the security team to receive a notification.

    Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

    A. Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail.
    B. Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in AWS CloudTrail.
    C. Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.
    D. Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user.
    E. Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule. Subscribe the security team's group email address to the topic.
    F. Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team's group email address to the queue.

  • Question 435:

    When running a playbook on a remote target host you receive a Python error similar to "[Errno 13] Permission denied: `/home/nick/.ansible/tmp'. What would be the most likely cause of this problem?

    A. The user's home or `.ansible' directory on the Ansible system is not writeable by the user running the play.
    B. The specified user does not exist on the remote system.
    C. The user running `ansible-playbook' must run it from their own home directory.
    D. The user's home or `.ansible' directory on the Ansible remote host is not writeable by the user running the play

  • Question 436:

    A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege.

    Which solution will meet these requirements?

    A. Create an IAM policy that allows the developers to provision the required resources. Attach the policy to the developer IAM role.
    B. Create an IAM policy that allows full access to AWS CloudFormation. Attach the policy to the developer IAM role.
    C. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role a cloudformation:* action. Use the new service role during stack deployments.
    D. Create an AWS CloudFormation service role that has the required permissions. Grant the developer IAM role the iam:PassRole permission. Use the new service role during stack deployments.

  • Question 437:

    A company's security team discovers that IAM access keys were potentially exposed. The DevOps team wants to implement a solution that will automatically disable any keys that are suspected of being compromised. The solution also must provide a notification to the security team.

    Which solution will accomplish this?

    A. Create an Amazon EventBridge (Amazon CloudWatch Events) event for Amazon Macie. Create an Amazon Simple Notification Service (Amazon SNS) topic with two subscriptions: one to notify the security team and another to invoke an AWS Lambda function that disables the access keys.
    B. Enable Amazon GuardDuty and set up an Amazon EventBridge (Amazon CloudWatch Events) rule event for GuardDuty. Create an Amazon Simple Notification Service (Amazon SNS) topic with two subscriptions: one to notify the security team and another to invoke an AWS Lambda function that disables the access keys.
    C. Run an Amazon EvetBridge (Amazon CloudWatch Events) rule every 5 minutes to invoke an AWS Lambda function that checks to see if the compromised tag for any access key is set to true. If the tag is set to true, notify the security team and disable the access keys.
    D. Set up AWS Config and create an AWS CloudTrail event for AWS Config. Create an an Amazon Simple Notification Service (Amazon SNS) topic with two subscriptions: one to notify the security team and another to invoke an AWS Lambda function that disables the access keys.

  • Question 438:

    A company is building a web and mobile application that uses a serverless architecture powered by AWS Lambda and Amazon API Gateway. The company wants to fully automate the backend Lambda deployment based on code that is pushed to the appropriate environment branch in an AWS CodeCommit repository.

    The deployment must have the following:

    1.

    Separate environment pipelines for testing and production

    2.

    Automatic deployment that occurs for test environments only

    Which steps should be taken to meet these requirements?

    A. Configure a new AWS CodePipeline service. Create a CodeCommit repository for each environment. Set up CodePipeline to retrieve the source code from the appropriate repository. Set up the deployment step to deploy the Lambda functions with AWS CloudFormation.
    B. Create two AWS CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create a CodeCommit repository for each environment. Set up each CodePipeline to retrieve the source code from the appropriate repository. Set up the deployment step to deploy the Lambda functions with AWS CloudFormation.
    C. Create two AWS CodePipeline configurations for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Set up each CodePipeline to retrieve the source code from the appropriate branch in the repository. Set up the deployment step to deploy the Lambda functions with AWS CloudFormation.
    D. Create an AWS CodeBuild configuration for test and production environments. Configure the production pipeline to have a manual approval step. Create one CodeCommit repository with a branch for each environment. Push the Lambda function code to an Amazon S3 bucket. Set up the deployment step to deploy the Lambda functions from the S3 bucket.

  • Question 439:

    A DevOps engineer is designing an application that integrates with a legacy REST API. The application has an AWS Lambda function that reads records from an Amazon Kinesis data stream. The Lambda function sends the records to the legacy REST API.

    Approximately 10% of the records that the Lambda function sends from the Kinesis data stream have data errors and must be processed manually. The Lambda function event source configuration has an Amazon Simple Queue Service (Amazon SQS) dead-letter queue as an on-failure destination. The DevOps engineer has configured the Lambda function to process records in batches and has implemented retries in case of failure.

    During testing the DevOps engineer notices that the dead-letter queue contains many records that have no data errors and that already have been processed by the legacy REST API. The DevOps engineer needs to configure the Lambda function's event source options to reduce the number of errorless records that are sent to the dead-letter queue.

    Which solution will meet these requirements?

    A. Increase the retry attempts
    B. Configure the setting to split the batch when an error occurs
    C. Increase the concurrent batches per shard
    D. Decrease the maximum age of record

  • Question 440:

    A company is migrating its on-premises Windows applications and Linux applications to AWS. The company will use automation to launch Amazon EC2 instances to mirror the on-premises configurations. The migrated applications require access to shared storage that uses SMB for Windows and NFS for Linux.

    The company is also creating a pilot light disaster recovery (DR) environment in another AWS Region. The company will use automation to launch and configure the EC2 instances in the DR Region. The company needs to replicate the storage to the DR Region.

    Which storage solution will meet these requirements?

    A. Use Amazon S3 for the application storage. Create an S3 bucket in the primary Region and an S3 bucket in the DR Region. Configure S3 Cross-Region Replication (CRR) from the primary Region to the DR Region.
    B. Use Amazon Elastic Block Store (Amazon EBS) for the application storage. Create a backup plan in AWS Backup that creates snapshots of the EBS volumes that are in the primary Region and replicates the snapshots to the DR Region.
    C. Use a Volume Gateway in AWS Storage Gateway for the application storage. Configure Cross-Region Replication (CRR) of the Volume Gateway from the primary Region to the DR Region.
    D. Use Amazon FSx for NetApp ONTAP for the application storage. Create an FSx for ONTAP instance in the DR Region. Configure NetApp SnapMirror replication from the primary Region to the DR Region.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your DOP-C02 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.