Amazon Amazon Certifications DOP-C02 Questions & Answers

• Question 41:

  A company uses the AWS Cloud Development Kit (AWS CDK) to define its application. The company uses a pipeline that consists of AWS CodePipeline and AWS CodeBuild to deploy the CDK application.

  The company wants to introduce unit tests to the pipeline to test various infrastructure components. The company wants to ensure that a deployment proceeds if no unit tests result in a failure.

  Which combination of steps will enforce the testing requirement in the pipeline? (Choose two.)

  A. Update the CodeBuild build phase commands to run the tests then to deploy the application. Set the OnFailure phase property to ABORT.

  B. Update the CodeBuild build phase commands to run the tests then to deploy the application. Add the --rollback true flag to the cdk deploy command.

  C. Update the CodeBuild build phase commands to run the tests then to deploy the application. Add the --require-approval any-change flag to the cdk deploy command.

  D. Create a test that uses the AWS CDK assertions module. Use the template.hasResourceProperties assertion to test that resources have the expected properties.

  E. Create a test that uses the cdk diff command. Configure the test to fail if any resources have changed.

  Correct Answer: AD

• Question 42:

  A company runs an application that uses an Amazon S3 bucket to store images. A DevOps engineer needs to implement a multi-Region strategy for the objects that are stored in the S3 bucket. The company needs to be able to fail over to an

  S3 bucket in another AWS Region. When an image is added to either S3 bucket, the image must be replicated to the other S3 bucket within 15 minutes.

  The DevOps engineer enables two-way replication between the S3 buckets.

  Which combination of steps should the DevOps engineer take next to meet the requirements? (Choose three.)

  A. Enable S3 Replication Time Control (S3 RTC) on each replication rule.

  B. Create an S3 Multi-Region Access Point in an active-passive configuration.

  C. Call the SubmitMultiRegionAccessPointRoutes operation in the AWS API when the company needs to fail over to the S3 bucket in the other Region.

  D. Enable S3 Transfer Acceleration on both S3 buckets.

  E. Configure a routing control in Amazon Route 53 Recovery Controller. Add the S3 buckets in an active-passive configuration.

  F. Call the UpdateRoutingControlStates operation in the AWS API when the company needs to fail over to the S3 bucket in the other Region.

  Correct Answer: ABC

• Question 43:

  A company deploys an application to Amazon EC2 instances. The application runs Amazon Linux 2 and uses AWS CodeDeploy. The application has the following file structure for its code repository:

  

  The appspec.yml file has the following contents in the files section:

  

  What will the result be for the deployment of the config.txt file?

  A. The config.txt file will be deployed to only /var/www/html/config/config.txt.

  B. The config.txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/config/config.txt.

  C. The config.txt file will be deployed to only /usr/local/src/config.txt.

  D. The config.txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/application/web/config.txt.

  Correct Answer: B

• Question 44:

  A company has an organization in AWS Organizations. A DevOps engineer needs to maintain multiple AWS accounts that belong to different OUs in the organization. All resources, including IAM policies and Amazon S3 policies within an account, are deployed through AWS CloudFormation. All templates and code are maintained in an AWS CodeCommit repository. Recently, some developers have not been able to access an S3 bucket from some accounts in the organization.

  The following policy is attached to the S3 bucket: What should the DevOps engineer do to resolve this access issue?

  

  A. Modify the S3 bucket policy. Turn off the S3 Block Public Access setting on the S3 bucket. In the S3 policy, add the aws:SourceAccount condition. Add the AWS account IDs of all developers who are experiencing the issue.

  B. Verify that no IAM permissions boundaries are denying developers access to the S3 bucket. Make the necessary changes to IAM permissions boundaries. Use an AWS Config recorder in the individual developer accounts that are experiencing the issue to revert any changes that are blocking access. Commit the fix back into the CodeCommit repository. Invoke deployment through CloudFormation to apply the changes.

  C. Configure an SCP that stops anyone from modifying IAM resources in developer OUs. In the S3 policy, add the aws:SourceAccount condition. Add the AWS account IDs of all developers who are experiencing the issue. Commit the fix back into the CodeCommit repository. Invoke deployment through CloudFormation to apply the changes.

  D. Ensure that no SCP is blocking access for developers to the S3 bucket. Ensure that no IAM policy permissions boundaries are denying access to developer IAM users. Make the necessary changes to the SCP and IAM policy permissions boundaries in the CodeCommit repository. Invoke deployment through CloudFormation to apply the changes.

  Correct Answer: D

• Question 45:

  A company's development team uses AWS CloudFormation to deploy its application resources. The team must use CloudFormation for all changes to the environment. The team cannot use the AWS Management Console or the AWS CLI to make manual changes directly.

  The team uses a developer IAM role to access the environment. The role is configured with the AdministratorAccess managed IAM policy. The company has created a new CloudFormationDeployment IAM role that has the following policy attached:

  

  The company wants to ensure that only CloudFormation can use the new role. The development team cannot make any manual changes to the deployed resources.

  Which combination of steps will meet these requirements? (Choose three.)

  A. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to use the CloudFormationDeployment role as a CloudFormation service role when the developers deploy new stacks.

  B. Update the trust policy of the CloudFormationDeployment role to allow the developer IAM role to assume the CloudFormationDeployment role.

  C. Configure the developer IAM role to be able to get and pass the CloudFormationDeployment role if iam:PassedToService equals . Configure the CloudFormationDeployment role to allow all cloudformation actions for all resources.

  D. Update the trust policy of the CloudFormationDeployment role to allow the cloudformation.amazonaws.com AWS principal to perform the iam:AssumeRole action.

  E. Remove the AdministratorAccess policy. Assign the ReadOnlyAccess managed IAM policy to the developer role. Instruct the developers to assume the CloudFormationDeployment role when the developers deploy new stacks.

  F. Add an IAM policy to the CloudFormationDeployment role to allow cloudformation:* on all resources. Add a policy that allows the iam:PassRole action for the ARN of the CloudFormationDeployment role if iam:PassedToService equals cloudformation.amazonaws.com.

  Correct Answer: ADF

• Question 46:

  A company groups its AWS accounts in OUs in an organization in AWS Organizations. The company has deployed a set of Amazon API Gateway APIs in one of the Organizations accounts. The APIs are bound to the account's VPC and have no existing authentication mechanism. Only principals in a specific OU can have permissions to invoke the APIs.

  The company applies the following policy to the API Gateway interface VPC endpoint:

  

  The company also updates the API Gateway resource policies to deny invocations that do not come through the interface VPC endpoint. After the updates, the following error message appears during attempts to use the interface VPC endpoint URL to invoke an API: "User: anonymous is not authorized."

  Which combination of steps will solve this problem? (Choose two.)

  A. Enable IAM authentication on all API methods by setting AWS JAM as the authorization method.

  B. Create a token-based AWS Lambda authorizer that passes the caller's identity in a bearer token.

  C. Create a request parameter-based AWS Lambda authorizer that passes the caller's identity in a combination of headers, query string parameters, stage variables, and $cortext variables.

  D. Use Amazon Cognito user pools as the authorizer to control access to the API.

  E. Verify the identity of the requester by using Signature Version 4 to sign client requests by using AWS credentials.

  Correct Answer: AE

• Question 47:

  A company runs applications on Windows and Linux Amazon EC2 instances. The instances run across multiple Availability Zones in an AWS Region. The company uses Auto Scaling groups for each application.

  The company needs a durable storage solution for the instances. The solution must use SMB for Windows and must use NFS for Linux. The solution must also have sub-millisecond latencies. All instances will read and write the data.

  Which combination of steps will meet these requirements? (Choose three.)

  A. Create an Amazon Elastic File System (Amazon EFS) file system that has targets in multiple Availability Zones.

  B. Create an Amazon FSx for NetApp ONTAP Multi-AZ file system.

  C. Create a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume to use for shared storage.

  D. Update the user data for each application's launch template to mount the file system.

  E. Perform an instance refresh on each Auto Scaling group.

  F. Update the EC2 instances for each application to mount the file system when new instances are launched.

  Correct Answer: BDE

• Question 48:

  A DevOps engineer needs to implement integration tests into an existing AWS CodePipeline CI/CD workflow for an Amazon Elastic Container Service (Amazon ECS) service. The CI/CD workflow retrieves new application code from an AWS

  CodeCommit repository and builds a container image. The Cl/CD workflow then uploads the container image to Amazon Elastic Container Registry (Amazon ECR) with a new image tag version.

  The integration tests must ensure that new versions of the service endpoint are reachable and that various API methods return successful response data. The DevOps engineer has already created an ECS cluster to test the service.

  Which combination of steps will meet these requirements with the LEAST management overhead? (Choose three.)

  A. Add a deploy stage to the pipeline. Configure Amazon ECS as the action provider. Most Voted

  B. Add a deploy stage to the pipeline. Configure AWS CodeDeploy as the action provider.

  C. Add an appspec.yml file to the CodeCommit repository.

  D. Update the image build pipeline stage to output an imagedefinitions.json file that references the new image tag. Most Voted

  E. Create an AWS Lambda function that runs connectivity checks and API calls against the service. Integrate the Lambda function with CodePipeline by using a Lambda action stage. Most Voted

  F. Write a script that runs integration tests against the service. Upload the script to an Amazon S3 bucket. Integrate the script in the S3 bucket with CodePipeline by using an S3 action stage.

  Correct Answer: ADE

• Question 49:

  A company sends its AWS Network Firewall flow logs to an Amazon S3 bucket. The company then analyzes the flow logs by using Amazon Athena.

  The company needs to transform the flow logs and add additional data before the flow logs are delivered to the existing S3 bucket.

  Which solution will meet these requirements?

  A. Create an AWS Lambda function to transform the data and to write a new object to the existing S3 bucket. Configure the Lambda function with an S3 trigger for the existing S3 bucket. Specify all object create events for the event type. Acknowledge the recursive invocation.

  B. Enable Amazon EventBridge notifications on the existing S3 bucket. Create a custom EventBridge event bus. Create an EventBridge rule that is associated with the custom event bus. Configure the rule to react to all object create events for the existing S3 bucket and to invoke an AWS Step Functions workflow. Configure a Step Functions task to transform the data and to write the data into a new S3 bucket.

  C. Create an Amazon EventBridge rule that is associated with the default EventBridge event bus. Configure the rule to react to all object create events for the existing S3 bucket. Define a new S3 bucket as the target for the rule. Create an EventBridge input transformation to customize the event before passing the event to the rule target.

  D. Create an Amazon Kinesis Data Firehose delivery stream that is configured with an AWS Lambda transformer. Specify the existing S3 bucket as the destination. Change the Network Firewall logging destination from Amazon S3 to Kinesis Data Firehose.

  Correct Answer: D

• Question 50:

  A company operates sensitive workloads across the AWS accounts that are in the company's organization in AWS Organizations. The company uses an IP address range to delegate IP addresses for Amazon VPC CIDR blocks and all non-cloud hardware.

  The company needs a solution that prevents principals that are outside the company's IP address range from performing AWS actions in the organization's accounts.

  Which solution will meet these requirements?

  A. Configure AWS Firewall Manager for the organization. Create an AWS Network Firewall policy that allows only source traffic from the company's IP address range. Set the policy scope to all accounts in the organization.

  B. In Organizations, create an SCP that denies source IP addresses that are outside of the company's IP address range. Attach the SCP to the organization's root.

  C. Configure Amazon GuardDuty for the organization. Create a GuardDuty trusted IP address list for the company's IP range. Activate the trusted IP list for the organization.

  D. In Organizations, create an SCP that allows source IP addresses that are inside of the company's IP address range. Attach the SCP to the organization's root.

  Correct Answer: B