Amazon DOP-C02 Exam Questions Instant Access

Question 1

A company uses AWS Lambda functions in the primary operating AWS Region of its AWS account. The company manually created the Lambda functions.

The company needs to use a Python-based AWS Cloud Development Kit (AWS CDK) application to manage the Lambda functions.

Which solution meets these requirements with the LEAST implementation effort?

AStart a partial scan by using the AWS CloudFormation IaC generator. Filter by the Lambda resource type. Create an AWS CDK app from the scanned resources.

BStart a partial scan by using the AWS CloudFormation IaC generator. Filter by the Lambda resource type. Create a CloudFormation template from the scanned resources. Convert the template to an AWS CDK app.

CStart a partial scan by using the AWS CloudFormation IaC generator. Filter by the Lambda resource type. Create a CloudFormation template. Replace the code properties, then convert the template to an AWS CDK app.

DCreate a resource inventory by using AWS Config. Filter by the Lambda resource type. Export the inventory to a .csv file. Write an AWS CDK app that references the Lambda functions from the .csv file.

Answer : A

The CloudFormation IaC generator can reverse-engineer existing resources (partial scan) into infrastructure as code. Filtering by Lambda type creates CDK-ready constructs with minimal manual work. AWS recommends this method for IaC onboarding of existing workloads.

Question 2

A security team wants to use AWS CloudTrail to monitor all actions and API calls in multiple accounts that are in the same organization in AWS Organizations. The security team needs to ensure that account users cannot turn off CloudTrail in the accounts.

Which solution will meet this requirement?

AApply an SCP to all OUs to deny the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action.

BCreate IAM policies in each account to deny the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action.

CSet up Amazon CloudWatch alarms to notify the security team when a user disables CloudTrail in an account.

DUse AWS Config to automatically re-enable CloudTrail if a user disables CloudTrail in an account.

Answer : A

To ensure that CloudTrail cannot be disabled in any member account, the control must be enforced above the individual accounts, at the organization level, and must not be overridable by local administrators. AWS Service Control Policies (SCPs) provide exactly this capability: they define permission guardrails that apply to all IAM users, roles, and even the root user in accounts within an AWS Organizations OU.

By applying an SCP that explicitly denies cloudtrail:StopLogging and cloudtrail:DeleteTrail, the organization prevents any principal in the affected accounts from disabling logging or deleting the trails, regardless of their IAM permissions. This provides strong, centralized enforcement of audit logging.

Option B uses IAM policies in each account. Local administrators with sufficient privileges could modify or detach those policies, defeating the control. Option C only sends notifications and does not prevent the action. Option D with AWS Config auto-remediation still allows a window where CloudTrail is disabled and also can be disabled or modified itself.

Therefore, the most robust and least bypassable approach is to use an SCP at the OU level to deny CloudTrail stop and delete actions.

Question 3

A DevOps team is deploying microservices for an application on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The cluster uses managed node groups.

The DevOps team wants to enable auto scaling for the microservice Pods based on a specific CPU utilization percentage. The DevOps team has already installed the Kubernetes Metrics Server on the cluster.

Which solution will meet these requirements in the MOST operationally efficient way?

AEdit the Auto Scaling group that is associated with the worker nodes of the EKS cluster. Configure the Auto Scaling group to use a target tracking scaling policy to scale when the average CPU utilization of the Auto Scaling group reaches a specific percentage.

BDeploy the Kubernetes Horizontal Pod Autoscaler (HPA) and the Kubernetes Vertical Pod Autoscaler (VPA) in the cluster. Configure the HPA to scale based on the target CPU utilization percentage. Configure the VPA to use the recommender mode setting.

CRun the AWS Systems Manager AWS-UpdateEKSManagedNodeGroup Automation document. Modify the values for NodeGroupDesiredSize, NodeGroupMaxSize, and NodeGroupMinSize to be based on an estimate for the required node size.

DDeploy the Kubernetes Horizontal Pod Autoscaler (HPA) and the Kubernetes Cluster Autoscaler in the cluster. Configure the HPA to scale based on the target CPU utilization percentage. Configure the Cluster Autoscaler to use the auto-discovery setting.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract:

To scale microservice Pods based on CPU utilization, the Kubernetes Horizontal Pod Autoscaler (HPA) uses the Kubernetes Metrics Server to monitor resource usage and automatically adjusts the number of Pods. However, scaling Pods may require additional nodes if the current node capacity is insufficient.

The Cluster Autoscaler works with EKS managed node groups to add or remove worker nodes based on pending Pod requirements and resource usage.

By deploying both HPA and Cluster Autoscaler, the system can automatically scale Pods and add nodes as necessary, ensuring efficient resource utilization and availability.

Configuring the Cluster Autoscaler with auto-discovery allows it to manage node groups without manual intervention, reducing operational effort.

Option A only scales nodes based on node CPU utilization, not Pods.

Option B uses VPA recommender mode, which only suggests resource changes and does not scale automatically.

Option C involves manual updates and is not automated scaling.

Therefore, option D provides the most operationally efficient, fully automated scaling solution.

Reference from AWS Official Documentation:

Kubernetes Horizontal Pod Autoscaler:

'HPA automatically scales the number of Pods based on observed CPU utilization or other metrics.'

(Kubernetes HPA)

Cluster Autoscaler on Amazon EKS:

'The Cluster Autoscaler automatically adjusts the size of the Kubernetes cluster when there are Pods that fail to run due to insufficient resources or when nodes in the cluster are underutilized.'

(AWS EKS Cluster Autoscaler)

Question 4

A company uses a trunk-based development branching strategy. The company has two AWS CodePipeline pipelines that are integrated with a Git provider. The pull_request pipeline has a branch filter that matches the feature branches. The main_branch pipeline has a branch filter that matches the main branch.

When pull requests are merged into the main branch, the pull requests are deployed by using the main_branch pipeline. The company's developers need test results for all submitted pull requests as quickly as possible from the pull_request pipeline. The company wants to ensure that the main_branch pipeline's test results finish and that each deployment is complete before the next pipeline execution.

Which solution will meet these requirements?

AConfigure the pull_request pipeline to use SUPERSEDED mode. Configure the main_branch pipeline to use QUEUED mode.

BConfigure the pull_request pipeline to use PARALLEL mode. Configure the main_branch pipeline to use QUEUED mode.

CConfigure the pull_request pipeline to use PARALLEL mode. Configure the main_branch pipeline to use SUPERSEDED mode.

DConfigure the pull_request pipeline to use QUEUED mode. Configure the main_branch pipeline to use SUPERSEDED mode.

Answer : B

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer Documents Only:

In CodePipeline's execution mode,

PARALLEL mode for pull_request pipelines ensures that multiple feature branches can be tested simultaneously for quick feedback.

QUEUED mode for main_branch ensures deployments run sequentially --- each must finish before the next begins, preventing overlap.

This configuration aligns with AWS CodePipeline best practices for trunk-based development and concurrent test pipelines.

Question 5

A company has deployed an application in a single AWS Region. The application backend uses Amazon DynamoDB tables and Amazon S3 buckets.

The company wants to deploy the application in a secondary Region. The company must ensure that the data in the DynamoDB tables and the S3 buckets persists across both Regions. The data must also immediately propagate across Regions.

Which solution will meet these requirements with the MOST operational efficiency?

AImplement two-way S3 bucket replication between the primary Region's S3 buckets and the secondary Region's S3 buckets. Convert the DynamoDB tables into global tables. Set the secondary Region as the additional Region.

BImplement S3 Batch Operations copy jobs between the primary Region and the secondary Region for all S3 buckets. Convert the DynamoDB tables into global tables. Set the secondary Region as the additional Region.

CImplement two-way S3 bucket replication between the primary Region's S3 buckets and the secondary Region's S3 buckets. Enable DynamoDB streams on the DynamoDB tables in both Regions. In each Region, create an AWS Lambda function that subscribes to the DynamoDB streams. Configure the Lambda function to copy new records to the DynamoDB tables in the other Region.

DImplement S3 Batch Operations copy jobs between the primary Region and the secondary Region for all S3 buckets. Enable DynamoDB streams on the DynamoDB tables in both Regions. In each Region, create an AWS Lambda function that subscribes to the DynamoDB streams. Configure the Lambda function to copy new records to the DynamoDB tables in the other Region.

Answer : A

The company needs multi-Region data persistence with immediate propagation and minimal operational overhead. For S3, the correct mechanism is S3 replication (Cross-Region Replication or Same-Region Replication), which continuously and asynchronously replicates new objects as they are written. Configuring two-way replication between the primary and secondary Region buckets ensures that objects written in either Region are replicated to the other automatically without custom code.

For DynamoDB, the native solution for multi-Region replication is DynamoDB global tables. Global tables provide multi-master, multi-Region replication with low-latency reads and writes in each Region and automatic propagation of changes. Converting existing tables into global tables and adding the secondary Region as a replica gives immediate, managed cross-Region replication with minimal maintenance.

Option A combines these two fully managed features: two-way S3 replication and DynamoDB global tables. This yields the highest operational efficiency.

Options B, C, and D rely on S3 Batch Operations or DynamoDB Streams + Lambda to manually copy data cross-Region. These approaches add complexity, custom code, and operational risk, and they are less suitable when AWS provides managed replication mechanisms specifically designed for this purpose.

Therefore, Option A is the correct and most efficient solution.

Question 6

A company runs a development environment website and database on an Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS) storage. The company wants to make the instance more resilient to underlying hardware issues. The company wants to automatically recover the EC2 instance if AWS determines the instance has lost network connectivity.

Which solution will meet these requirements?

AAdd the EC2 instance to an Auto Scaling group. Set the minimum, maximum, and desired capacity to 1.

BAdd the EC2 instance to an Auto Scaling group. Configure a lifecycle hook to detach the EBS volume if the EC2 instance shuts down or terminates.

CCreate an Amazon CloudWatch alarm for the StatusCheckFailed_System metric. Add an EC2 action to recover the instance when the alarm state is in ALARM.

DCreate an Amazon CloudWatch alarm for the NetworkOut metric. Add an EC2 action to recover the instance when the alarm state is in INSUFFICIENT_DATA.

Answer : C

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

Configure a CloudWatch alarm on StatusCheckFailed_System and set the EC2 recovery action. Instance recovery automatically recovers the instance on impaired hardware while preserving the instance ID, private IPs, EBS volumes, and metadata.

Question 7

A large company recently acquired a small company. The large company invited the small company to join the large company's existing organization in AWS Organizations as a new OU. A DevOps engineer determines that the small company needs to launch t3.small Amazon EC2 instance types for the company's application workloads. The small company needs to deploy the instances only within US-based AWS Regions. The DevOps engineer needs to use an SCP in the small company's new OU to ensure that the small company can launch only the required instance types. Which solution will meet these requirements?

AConfigure a statement to deny the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is not equal to t3.small. Configure another statement to deny the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is not equal to us-.

BConfigure a statement to allow the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is not equal to t3.small. Configure another statement to allow the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is not equal to us-.

CConfigure a statement to deny the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is equal to t3.small. Configure another statement to deny the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is equal to us-.

DConfigure a statement to allow the ec2:RunInstances action for all EC2 instance resources when the ec2:InstanceType condition is equal to t3.small. Configure another statement to allow the ec2:RunInstances action for all EC2 instance resources when the aws:RequestedRegion condition is equal to us-.

Answer : B

Amazon AWS Certified DevOps Engineer - Professional DOP-C02 Exam Questions