Free Amazon DOP-C02 Exam Questions

Question 1

A multinational corporation has multiple AWS accounts that are consolidated using AWS Organizations. For security purposes, a new system should be configured that automatically detects suspicious activities in any of its accounts, such as SSH brute force attacks or compromised EC2 instances that serve malware. All of the gathered information must be centrally stored in its dedicated security account for audit purposes, and the events should be stored in an S3 bucket.

As a DevOps Engineer, which solution should you implement in order to meet this requirement?

A : tomatically detect SSH brute force or malware attacks by enabling Amazon GuardDuty in the security account only. Set up the security account as the GuardDuty Administrator for every member account. Create a new CloudWatch rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Streams. Launch a custom shell script in Lambda function to read data from the Kinesis Data Streams and push them to the S3 bucket.

B : tomatically detect SSH brute force or malware attacks by enabling Amazon Macie in every account. Set up the security account as the Macie Administrator for every member account of the organization. Create an Amazon CloudWatch Events rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Firehose, which should push the findings to an Amazon S3 bucket.

C : tomatically detect SSH brute force or malware attacks by enabling Amazon Macie in the security account only. Configure the security account as the Macie Administrator for every member account. Set up a new CloudWatch Events rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Streams. Launch a custom shell script in Lambda function to read data from the Kinesis Data Streams and push them to the S3 bucket.

D : tomatically detect SSH brute force or malware attacks by enabling Amazon GuardDuty in every account. Configure the security account as the GuardDuty Administrator for every member of the organization. Set up a new CloudWatch rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Firehose, which will push the findings to the S3 bucket.

Answer: D

Question 2

A government agency is planning to launch a distributed system in AWS that processes thousands of transactions every day. The agency purchased a proprietary software with 100 licenses, which can be used by a maximum of 100 application servers. A DevOps Engineer needs to set up an automated solution that dynamically allocates the software licenses to the application servers. The Engineer also needs to provide a way to see the list of available licenses that are not in use.

Which of the following options below is the MOST suitable way to accomplish this task?

A : epare a CloudFormation template that uses an Auto Scaling group to launch the EC2 instances with an associated lifecycle hook for Instance Terminate. Store the 100 license codes to AWS Certificate Manager (ACM). Pull an available license from ACM using the User Data script of the instance upon launch. Use the lifecycle hook to update the license mapping after the instance is terminated.

B : epare a CloudFormation template that uses an Auto Scaling group to launch the EC2 instances with an associated lifecycle hook for Instance Terminate. Store the 100 license codes to a public S3 bucket. Pull an available license from the bucket using the User Data script of the instance upon launch. Use the lifecycle hook to update the license mapping after the instance is terminated.

C : epare a CloudFormation template that uses an Auto Scaling group to launch the EC2 instances with an associated lifecycle hook for Instance Terminate. Store the 100 license codes to a DynamoDB table. Pull an available license from the DynamoDB table using the User Data script of the instance upon launch. Use the lifecycle hook to update the license mapping after the instance is terminated.

D : epare a CloudFormation template that uses an Auto Scaling group to launch the EC2 instances. Store the 100 license codes to AWS Systems Manager Parameter Store. Pull an available license from the Systems manager using the instance metadata script of the instance upon launch. Configure the metadata script to update the license mapping after the instance is terminated.

Answer: C

Question 3

A company runs a workload on Amazon EC2 instances. The company needs a control that requires the use of Instance Metadata Service Version 2 (IMDSv2) on all EC2 instances in the AWS account. If an EC2 instance does not prevent the use of Instance Metadata Service Version 1 (IMDSv1), the EC2 instance must be terminated. Which solution will meet these requirements?

A : Set up AWS Config in the account. Use a managed rule to check EC2 instances. Configure the rule to remediate the findings by using AWS Systems Manager Automation to terminate the instance.

B : Create a permissions boundary that prevents the ec2:Runlnstance action if the ec2:MetadataHttpTokens condition key is not set to a value of required. Attach the permissions boundary to the IAM role that was used to launch the instance.

C : Set up Amazon Inspector in the account. Configure Amazon Inspector to activate deep inspection for EC2 instances. Create an Amazon EventBridge rule for an Inspector2 finding. Set an AWS Lambda function as the target to terminate the instance.

D : Create an Amazon EventBridge rule for the EC2 instance launch successful event. Send the event to an AWS Lambda function to inspect the EC2 metadata and to terminate the instance.

Answer: B

Question 4

A company is building a new pipeline by using AWS CodePipeline and AWS CodeBuild in a build account. The pipeline consists of two stages. The first stage is a CodeBuild job to build and package an AWS Lambda function. The second stage consists of deployment actions that operate on two different AWS accounts: a development environment account and a production environment account. The deployment stages use the AWS CloudFormation action that CodePipeline invokes to deploy the infrastructure that the Lambda function requires.

A DevOps engineer creates the CodePipeline pipeline and configures the pipeline to encrypt build artifacts by using the AWS Key Management Service (AWS KMS) AWS managed key for Amazon S3 (the aws/s3 key). The artifacts are stored in an S3 bucket. When the pipeline runs, the CloudFormation actions fail with an access denied error.

Which combination of actions must the DevOps engineer perform to resolve this error? (Choose two.)

A : eate an S3 bucket in each AWS account for the artifacts. Allow the pipeline to write to the S3 buckets. Create a CodePipeline S3 action to copy the artifacts to the S3 bucket in each AWS account. Update the CloudFormation actions to reference the artifacts S3 bucket in the production account.

B : eate a customer managed KMS key. Configure the KMS key policy to allow the IAM roles used by the CloudFormation action to perform decrypt operations. Modify the pipeline to use the customer managed KMS key to encrypt artifacts.

C : eate an AWS managed KMS key. Configure the KMS key policy to allow the development account and the production account to perform decrypt operations. Modify the pipeline to use the KMS key to encrypt artifacts.

D : the development account and in the production account, create an IAM role for CodePipeline. Configure the roles with permissions to perform CloudFormation operations and with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In the CodePipeline account, configure the CodePipeline CloudFormation action to use the roles.

E : the development account and in the production account, create an IAM role for CodePipeline. Configure the roles with permissions to perform CloudFormation operations and with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In the CodePipeline account, modify the artifacts S3 bucket policy to allow the roles access. Configure the CodePipeline CloudFormation action to use the roles.

Answer: B,D

Question 5

A company's developers use Amazon EC2 instances as remote workstations. The company is concerned that users can create or modify EC2 security groups to allow unrestricted inbound access.

A DevOps engineer needs to develop a solution to detect when users create unrestricted security group rules. The solution must detect changes to security group rules in near real time, remove unrestricted rules, and send email notifications to the security team. The DevOps engineer has created an AWS Lambda function that checks for security group ID from input, removes rules that grant unrestricted access, and sends notifications through Amazon Simple Notification Service (Amazon SNS).

What should the DevOps engineer do next to meet the requirements?

A : nfigure the Lambda function to be invoked by the SNS topic. Create an AWS CloudTrail subscription for the SNS topic. Configure a subscription filter for security group modification events.

B : eate an Amazon EventBridge scheduled rule to invoke the Lambda function. Define a schedule pattern that runs the Lambda function every hour.

C : eate an Amazon EventBridge event rule that has the default event bus as the source. Define the rule’s event pattern to match EC2 security group creation and modification events. Configure the rule to invoke the Lambda function.

D : eate an Amazon EventBridge custom event bus that subscribes to events from all AWS services. Configure the Lambda function to be invoked by the custom event bus.

Answer: C