Free Amazon DOP-C02 Exam Questions

Question 1

A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub.

Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source.

Which solution will meet these requirements?

A : A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create an AWS Lambda function that will update the threat list. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

B : Configure an AWS WAF web ACL that includes a custom rule group. Create an AWS Lambda function that will create a block rule in the custom rule group. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

C : Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that will create a Drop action rule in the firewall policy. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty

D : Create an AWS Lambda function that will create a GuardDuty suppression rule. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

Answer: B

Question 2

A company has several AWS accounts. An Amazon Connect instance runs in each account. The company uses an Amazon EventBridge default event bus in each account for event handling. A DevOps team needs to receive all the Amazon Connect events in a single DevOps account. Which solution meets these requirements?

A : Update the resource-based policy of the default event bus in each account to allow the DevOps account to replay events. Configure an EventBridge rule in the DevOps account that matches Amazon Connect events and has a target of the default event bus in the other accounts.

B : Update the resource-based policy of the default event bus in each account to allow the DevOps account to receive events. Configure an EventBridge rule in the DevOps account that matches Amazon Connect events and has a target of the default event bus in the other accounts.

C : Update the resource-based policy of the default event bus in the DevOps account. Update the policy to allow events to be received from the accounts. Configure an EventBridge rule in each account that matches Amazon Connect events and has a target of the DevOps account's default event bus

D : Update the resource-based policy of the default event bus in the DevOps account. Update the policy to allow events to be replayed by the accounts. Configure an EventBridge rule in each account that matches Amazon Connect events and has a target of the DevOps account's default event bus.

Answer: C

Question 3

A company is planning to host their enterprise web application in an Amazon ECS Cluster which uses the Fargate launch type. The database credentials, API keys, and other sensitive parameters should be provided to the application image by using environment variables. A DevOps engineer was instructed to ensure that the sensitive parameters are highly secured when passed to the image and must be kept in a dedicated storage with lifecycle management. The size of some parameters can exceed up to 12 Kb in size and must be rotated automatically.

Which of the following is the MOST suitable solution that the DevOps engineer should implement?

A : ore the API Keys and other credentials in AWS Key Management Service (AWS KMS) and enable automatic key rotation. Set up an IAM role to the ECS task definition script that allows access to AWS KMS to retrieve the necessary parameters when calling the register-task-definition action in Amazon ECS.

B : ep the credentials using the AWS Secrets Manager and then encrypt them using AWS KMS. Set up an IAM Role for your Amazon ECS task execution role and reference it with your task definition which allows access to both KMS and AWS Secrets Manager. Within your container definition, specify secrets with the name of the environment variable to set in the container and the full ARN of the Secrets Manager secret which contains the sensitive data, to present to the container. Enable the built-in automatic key rotation for the credentials.

C : ep the credentials using the AWS Systems Manager Parameter Store and then encrypt them using AWS KMS. Set up an IAM Role for your Amazon ECS task execution role and reference it with your task definition, which allows access to both KMS and the Parameter Store. Within your container definition, specify secrets with the name of the environment variable to set in the container and the full ARN of the Systems Manager Parameter Store parameter containing the sensitive data to present to the container. Enable the built-in automatic key rotation for the parameters.

D : ore the credentials using AWS Storage Gateway in the ECS task definition file of the ECS Cluster in order to centrally manage these sensitive data and securely transmit these only to those containers that need access to them. Ensure that the secrets are encrypted and can only be accessed to those services which have been granted explicit access to it via IAM Role, and only while those service tasks are running. Launch a custom rotation function in AWS Lambda and automatically rotate the credentials using Amazon EventBridge.

Answer: B

Question 4

You have developed a custom web dashboard for your company that shows all instances running on AWS including the instance details. The web app relies on a DynamoDB table that will be updated whenever a new instance is created or terminated. You have several auto scaling groups of EC2 instances and you want to have an effective way of updating the DynamoDB table whenever a new instance is created or terminated.

Which of the following steps will you implement?

A : eate a custom script that runs on the instances that will run on scale-in and scale-out events to update the DynamoDB table with the necessary details.

B : nfigure a CloudWatch Events target to your auto scaling group that will trigger a Lambda function when a lifecycle action occurs. Configure the function to update the DynamoDB table with the necessary instance details.

C : nfigure a CloudWatch alarm that will monitor the number of instances on your auto scaling group and trigger a Lambda function to update the DynamoDB table with the necessary details.

D : fine a Lambda function as a notification target for the lifecycle hook for the auto scaling group. In the event of a scale-out or scale-in, the lifecycle hook will trigger the Lambda function to update the DynamoDB table with the necessary details.

Answer: B

Question 5

You have developed an app that lets users quickly upload and share image snippets across various platforms such as mobile app, desktop web browser, and third party instant messaging apps. Your app relies on a Lambda function that detects each request’s User-Agent and automatically sends a corresponding image resolution based on the device. You want to have a consistent and fast experience for all your users around the world.

Which of the following options will you implement?

A : load your function on S3 and set it as CloudFront origin to run it.

B : ploy your function on Amazon API Gateway and set up an Edge-optimized API endpoint.

C : eate your function on Lambda and deploy it with Lambda@Edge.

D : eate your function on AWS Lambda and set it as a CloudFront origin.

Answer: C