Free Amazon DOP-C02 Exam Questions

Question 1

A cloud team uses AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On) to manage a company's AWS accounts. The company recently established a research team. The research team requires the ability to fully manage the resources in its account. The research team must not be able to create IAM users.

The cloud team creates a Research Administrator permission set in IAM Identity Center for the research team. The permission set has the AdministratorAccess AWS managed policy attached. The cloud team must ensure that no one on the research team can create IAM users.

Which solution will meet these requirements?

A : Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to the Research Administrator permission set.

B : . Create an IAM policy that allows all actions except the iam:CreateUser action. Use the IAM policy to set the permissions boundary for the Research Administrator permission set.

C : Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team's AWS account.

D : reate an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke the Lambda function.

Answer: C

Question 2

A company uses AWS Control Tower and Organizations for a multi-account environment. It needs to create new accounts and ensure they receive a consistent baseline configuration. Which solution meets the requirement with the least overhead?

A : Use Account Factory Customization (AFC) blueprints for baseline setup.

B : Use Account Factory + StackSets post-setup.

C : Use Organizations with Lambda applying baseline via access role.

D : Use Organizations + StackSets manually.

Answer: A

Question 3

A PHP web application is uploaded to the AWS Elastic Beanstalk of the company's development account to automatically handle the deployment, capacity provisioning, load balancing, auto-scaling, and application health monitoring. Amazon RDS is used as the database, and it is tightly coupled to the Elastic Beanstalk environment. A DevOps Engineer noticed that if you terminate the environment, its database goes down as well. This issue prevents you from performing seamless updates with blue-green deployments. Moreover, this poses a critical security risk if the company decides to deploy the application in its production environment.

How can the DevOps Engineer decouple the database instance from the environment with the LEAST amount of data loss?

A : couple the Amazon RDS instance from your Elastic Beanstalk environment using a blue/green deployment strategy. Enable deletion protection and take an RDS DB snapshot of the database. Set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance and delete the old environment.

B : couple the Amazon RDS instance from your Elastic Beanstalk environment using the blue/green deployment strategy to decouple. Take an RDS DB snapshot of the database and enable deletion protection. Set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance. Before terminating the old Elastic Beanstalk environment, remove its security group rule first before proceeding.

C : couple the Amazon RDS instance from your Elastic Beanstalk environment using the Canary deployment strategy. Take an RDS DB snapshot of the database and enable deletion protection. Set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance and delete the old environment.

D : couple the Amazon RDS instance from your Elastic Beanstalk environment using the Canary deployment strategy. Take an RDS DB snapshot of the database and then set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance.

Answer: B

Question 4

A DevOps engineer is creating a CI/CD pipeline to build container images. The engineer needs to store container images in Amazon Elastic Container Registry (Amazon ECR) and scan the images for common vulnerabilities. The CI/CD pipeline must be resilient to outages in upstream source container image repositories. Which solution will meet these requirements?

A : Create an ECR private repository in the private registry to store the container images and scan images when images are pushed to the repository. Configure a replication rule in the private registry to replicate images from upstream repositories.

B : Create an ECR public repository in the public registry to cache images from upstream source repositories. Create an ECR private repository to store images. Configure the private repository to scan images when images are pushed to the repository.

C : Create an ECR public repository in the public registry. Configure a pull through cache rule for the repository. Create an ECR private repository to store images. Configure the ECR private registry to perform basic scanning.

D : Create an ECR private repository in the private registry to store the container images. Enable basic scanning for the private registry, and create a pull through cache rule.

Answer: C

Question 5

A JavaScript-based online salary calculator hosted on-premises is slated to be migrated to AWS. The application has no server-side code and is just composed of a UI powered by Vue.js and Bootstrap. Since the online calculator may contain sensitive financial data, adding HTTP response headers such as X-Content-Type-Options, X-Frame-Options and X-XSS-Protection should be implemented to comply with the Open Web Application Security Project (OWASP) standards.

Which of the following is the MOST suitable solution that you should implement?

A : t the application on an S3 bucket configured for website hosting then set up server access logging on the Amazon S3 bucket to track user activity. Enable Amazon S3 client-side encryption and configure it to return the required security headers.

B : t the application on an S3 bucket configured for website hosting then set up server access logging on the S3 bucket to track user activity. Configure the bucket policy of the S3 bucket to return the required security headers.

C : t the application on an S3 bucket configured for website hosting. Set up a CloudFront web distribution and set the S3 bucket as the origin. Set a custom Request and Response Behavior in CloudFront that automatically adds the required security headers in the HTTP response.

D : t the application on an S3 bucket configured for website hosting. Set up a CloudFront web distribution and set the S3 bucket as the origin with the origin response event set to trigger a Lambda@Edge function. Add the required security headers in the HTTP response using the Lambda function.

Answer: D