Amazon DOP-C02 Exam Questions Instant Access

Question 1

A company's application is currently deployed to a single AWS Region. Recently, the company opened a new office on a different continent. The users in the new office are experiencing high latency. The company's application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses Amazon DynamoDB as the database layer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. A DevOps engineer is tasked with minimizing application response times and improving availability for users in both Regions.

Which combination of actions should be taken to address the latency issues? (Choose three.)

ACreate a new DynamoDB table in the new Region with cross-Region replication enabled.

BCreate new ALB and Auto Scaling group global resources and configure the new ALB to direct traffic to the new Auto Scaling group.

CCreate new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group.

DCreate Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB.

ECreate Amazon Route 53 aliases, health checks, and failover routing policies to route to the ALB.

FConvert the DynamoDB table to a global table.

Answer : C, D, F

C . Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group. This will allow users in the new Region to access the application with lower latency by reducing the network hops between the user and the application servers.

D . Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB. This will enable Route 53 to route user traffic to the nearest healthy ALB, based on the latency between the user and the ALBs.

F . Convert the DynamoDB table to a global table. This will enable reads and writes to the table in both Regions with low latency, improving the overall response time of the application

Question 2

A company has a web application that publishes logs that contain metadata for transactions, with a status of success or failure for each log. The logs are in JSON format. The application publishes the logs to an Amazon CloudWatch Logs log group.

The company wants to create a dashboard that displays the number of successful transactions.

Which solution will meet this requirement with the LEAST operational overhead?

ACreate an Amazon OpenSearch Service cluster and an OpenSearch Service subscription filter to send the log group data to the cluster. Create a dashboard within the Dashboards feature in the OpenSearch Service cluster by using a search query for transactions that have a status of success.

BCreate a CloudWatch subscription filter for the log group that uses an AWS Lambda function. Configure the Lambda function to parse the JSON logs and publish a custom metric to CloudWatch for transactions that have a status of success. Create a CloudWatch dashboard by using a metric graph that displays the custom metric.

CCreate a CloudWatch metric filter for the log groups with a filter pattern that matches the transaction status property and a value of success. Create a CloudWatch dashboard by using a metric graph that displays the new metric.

DCreate an Amazon Kinesis data stream that is subscribed to the log group. Configure the data stream to filter incoming log data based on a status of success and to send the filtered logs to an AWS Lambda function. Configure the Lambda function to publish a custom metric to CloudWatch. Create a CloudWatch dashboard by using a metric graph that displays the custom metric.

Answer : C

Question 3

A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda function uses. When the Lambda function is invoked, the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key.

A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function's execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege.

Which combination of steps will meet these requirements? (Select TWO.)

AUpdate the default KMS key for Secrets Manager to allow only the Lambda function's execution role to decrypt.

BCreate a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decrypt. Update Secrets Manager to use the new customer managed key.

CCreate a KMS customer managed key that trusts Secrets Manager and allows the account's :root principal to decrypt. Update Secrets Manager to use the new customer managed key.

DEnsure that the Lambda function's execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret.

ERemove all KMS permissions from the Lambda function's execution role.

Answer : B, D

The requirement is to update the infrastructure to ensure that only the Lambda function's execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege, which means granting the minimum permissions necessary to perform a task.

To do this, the DevOps engineer needs to use the following steps:

Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decrypt. A customer managed key is a symmetric encryption key that is fully managed by the customer. The customer can define the key policy, which specifies who can use and manage the key. By creating a customer managed key, the DevOps engineer can restrict the decryption permission to only the Lambda function's execution role, and prevent other principals from accessing the secret values. The customer managed key also needs to trust Secrets Manager, which means allowing Secrets Manager to use the key to encrypt and decrypt secrets on behalf of the customer.

Update Secrets Manager to use the new customer managed key. Secrets Manager allows customers to choose which KMS key to use for encrypting each secret. By default, Secrets Manager uses the default KMS key for Secrets Manager, which is a service-managed key that is shared by all customers in the same AWS Region. By updating Secrets Manager to use the new customer managed key, the DevOps engineer can ensure that only the Lambda function's execution role can decrypt the secret values using that key.

Ensure that the Lambda function's execution role has the KMS permissions scoped on the resource level. The Lambda function's execution role is an IAM role that grants permissions to the Lambda function to access AWS services and resources. The role needs to have KMS permissions to use the customer managed key for decryption. However, to apply the principle of least privilege, the role should have the permissions scoped on the resource level, which means specifying the ARN of the customer managed key as a condition in the IAM policy statement. This way, the role can only use that specific key and not any other KMS keys in the account.

Question 4

A company uses AWS Organizations, AWS Control Tower, AWS Config, and Terraform to manage its AWS accounts and resources. The company must ensure that users deploy only AWS Lambda functions that are connected to a VPC in member AWS accounts.

Which solution will meet these requirements with the LEAST operational effort?

AConfigure AWS Control Tower to use proactive controls (guardrails). Enable optional controls implemented with AWS CloudFormation hooks for Lambda on all OUs.

BCreate a new SCP that checks the lambda:VpcIds condition key for allowed values.

CCreate a custom AWS Config rule to detect non-VPC-connected Lambda functions.

DCreate a new SCP with a conditional statement that denies Lambda creation if lambda:VpcIds is null.

Answer : D

Use a Service Control Policy (SCP) with a Null condition on lambda:VpcIds to deny Lambda function creation or update when not VPC-attached. This enforces compliance across all accounts automatically without manual remediation, aligning with AWS Control Tower governance recommendations.

Question 5

A company operates a fleet of Amazon EC2 instances that host critical applications and handle sensitive dat

a. The EC2 instances must have up-to-date security patches to protect against vulnerabilities and ensure compliance with industry standards and regulations. The company needs an automated solution to monitor and enforce security patch compliance across the EC2 fleet.

Which solution will meet these requirements?

AConfigure AWS Systems Manager Patch Manager and AWS Config with defined patch baselines and compliance rules that run Systems Manager Automation documents.

BAccess each EC2 instance by using SSH keys. Check for and apply security updates by using package managers. Verify the installations.

CConfigure Auto Scaling groups that have scaling policies based on Amazon CloudWatch metrics. Configure Auto Scaling launch templates that launch new instances by using the latest AMIs that contain new security patches.

DUse AWS CloudFormation to recreate EC2 instances with the latest AMI every time a new patch becomes available. Use AWS CloudTrail logs to monitor patch compliance and to send alerts for non-compliant instances.

Answer : A

Option A is the most correct because it provides both: (1) automated patching and (2) compliance monitoring/enforcement across a fleet, using AWS-native services built for exactly this purpose.

AWS Systems Manager Patch Manager is designed to automate patching of managed instances using patch baselines, maintenance windows (or on-demand), and it produces compliance status for patching. It's the standard AWS service to apply OS/security patches at scale without SSH'ing into instances.

AWS Config can be used to evaluate and track compliance over time against defined rules, giving centralized visibility and continuous compliance assessment. With remediation, Config can invoke Systems Manager Automation documents to correct non-compliant resources or trigger patch actions (depending on the rule/remediation design). This meets the ''monitor and enforce'' requirement.

Why the other options don't meet requirements as well:

B is manual, doesn't scale well, and increases operational risk (key management, human error). It's not ''automated monitoring and enforcement.''

C (replacing instances with new AMIs) can be part of an immutable infrastructure strategy, but by itself it does not provide compliance monitoring across the current fleet, and scaling policies based on CloudWatch metrics are unrelated to patch compliance. Also, patch cadence would depend on AMI pipelines and instance rotation rather than direct compliance enforcement.

Question 6

A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host its machine learning (ML) application. As the ML model and the container image grow, pod startup time has increased to several minutes. The DevOps engineer created an EventBridge rule that triggers Systems Manager automation to prefetch container images from ECR. Node groups and the cluster have tags configured.

What should the DevOps engineer do next to meet the requirements?

ACreate an IAM role allowing EventBridge to use Systems Manager to run commands in the control plane nodes. Create a State Manager association using control plane node tags.

BCreate an IAM role allowing EventBridge to use Systems Manager to run commands in the worker nodes. Create a State Manager association using the nodes' machine size.

CCreate an IAM role allowing EventBridge to use Systems Manager to run commands in the worker nodes. Create a State Manager association using the nodes' tags to prefetch container images.

DCreate an IAM role allowing EventBridge to use Systems Manager to run commands in the control plane nodes. Create a State Manager association using the nodes' tags.

Answer : C

Comprehensive & Detailed Explanation (150--250 words):

EKS control plane nodes are fully managed by AWS and are not accessible for configuration, SSH, SSM commands, or custom workloads. Therefore, any prefetching of container images must occur on the worker nodes (EC2 instances in the node groups) because those are the machines that pull and cache container images before running pods.

Option C is the only solution that aligns with AWS architecture:

It creates an IAM role allowing Systems Manager Run Command to execute on EC2 worker nodes.

It uses node group tags to target the correct nodes dynamically.

State Manager runs the prefetch script whenever triggered by the EventBridge automation --- ensuring newly added nodes pre-pull images and reduce cold-start latency to seconds.

Options A and D are invalid because you cannot run Systems Manager commands on EKS control plane nodes; AWS manages them and does not expose them. Option B incorrectly targets node groups based on machine size, which does not provide reliable node identification or filtering.

Thus, Option C provides the correct, scalable, and supported method for prefetching images across all worker nodes.

Question 7

A DevOps engineer is using AWS CodeDeploy across a fleet of Amazon EC2 instances in an EC2 Auto Scaling group. The associated CodeDeploy deployment group, which is integrated with EC2 Auto Scaling, is configured to perform in-place deployments with codeDeployDefault.oneAtATime During an ongoing new deployment, the engineer discovers that, although the overall deployment finished successfully, two out of five instances have the previous application revision deployed. The other three instances have the newest application revision

What is likely causing this issue?

AThe two affected instances failed to fetch the new deployment.

BA failed Afterinstall lifecycle event hook caused the CodeDeploy agent to roll back to the previous version on the affected instances

CThe CodeDeploy agent was not installed in two affected instances.

DEC2 Auto Scaling launched two new instances while the new deployment had not yet finished, causing the previous version to be deployed on the affected instances.

Answer : D

Amazon AWS Certified DevOps Engineer - Professional DOP-C02 Exam Questions