Free Amazon DOP-C02 Exam Questions

Question 1

A company needs to ensure that flow logs remain configured for all existing and new VPCs in its AWS account. The company uses an AWS CloudFormation stack to manage its VPCs. The company needs a solution that will work for any VPCs that any IAM user creates. Which solution will meet these requirements?

A : Add the resource to the CloudFormation stack that creates the VPCs.

B : Create an organization in AWS Organizations. Add the company's AWS account to the organization. Create an SCP to prevent users from modifying VPC flow logs.

C : Turn on AWS Config. Create an AWS Config rule to check whether VPC flow logs are turned on. Configure automatic remediation to turn on VPC flow logs.

D : Create an IAM policy to deny the use of API calls for VPC flow logs. Attach the IAM policy to all IAM users.

Answer: C

Question 2

A company has several AWS accounts. An Amazon Connect instance runs in each account. The company uses an Amazon EventBridge default event bus in each account for event handling. A DevOps team needs to receive all the Amazon Connect events in a single DevOps account. Which solution meets these requirements?

A : Update the resource-based policy of the default event bus in each account to allow the DevOps account to replay events. Configure an EventBridge rule in the DevOps account that matches Amazon Connect events and has a target of the default event bus in the other accounts.

B : Update the resource-based policy of the default event bus in each account to allow the DevOps account to receive events. Configure an EventBridge rule in the DevOps account that matches Amazon Connect events and has a target of the default event bus in the other accounts.

C : Update the resource-based policy of the default event bus in the DevOps account. Update the policy to allow events to be received from the accounts. Configure an EventBridge rule in each account that matches Amazon Connect events and has a target of the DevOps account's default event bus

D : Update the resource-based policy of the default event bus in the DevOps account. Update the policy to allow events to be replayed by the accounts. Configure an EventBridge rule in each account that matches Amazon Connect events and has a target of the DevOps account's default event bus.

Answer: C

Question 3

A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to deploy its web applications on containers. The web applications contain confidential data that cannot be decrypted without specific credentials.

A DevOps engineer has stored the credentials in AWS Secrets Manager. The secrets are encrypted by an AWS Key Management Service (AWS KMS) customer managed key. A Kubernetes service account for a third-party tool makes the secrets available to the applications. The service account assumes an IAM role that the company created to access the secrets.

The service account receives an Access Denied (403 Forbidden) error while trying to retrieve the secrets from Secrets Manager.

What is the root cause of this issue?

A : The IAM role that is attached to the EKS cluster does not have access to retrieve the secrets from Secrets Manager.

B : The key policy for the customer managed key does not allow the Kubernetes service account IAM role to use the key.

C : The key policy for the customer managed key does not allow the EKS cluster IAM role to use the key.

D : The IAM role that is assumed by the Kubernetes service account does not have permission to access the EKS cluster.

Answer: B

Question 4

A popular e-commerce website which has customers across the globe is hosted in the us-east-1 AWS region with a backup site in the us-west-1 region. Due to an unexpected regional outage in the us-east-1 region, the company initiated their disaster recovery plan and turned on the backup site. However, they discovered that the actual failover still entails several hours of manual effort to prepare and switch over the database. They also noticed that the database is missing up to three hours of data transactions when the regional outage happened. Which of the following solutions should the DevOps engineer implement which will improve the RTO and RPO of the website for the cross-region failover?

A : eate a snapshot every hour using Amazon RDS scheduled instance lifecycle events which will also allow you to monitor specific RDS events. Perform a cross-region snapshot copy into the us-west-1 backup region once the SnapshotCreateComplete event occurred. Create an Amazon CloudWatch Alert which will trigger an action to restore the Amazon RDS database snapshot in the backup region when the CPU Utilization metric of the RDS instance in CloudWatch falls to 0% for more than 15 minutes.

B : Step Functions with 2 Lambda functions that call the RDS API to create a snapshot of the database, create a cross-region snapshot copy, and restore the database instance from a snapshot in the backup region. Use CloudWatch Events to trigger the function to take a database snapshot every hour. Set up an SNS topic that will receive published messages from AWS Health API, RDS availability and other events that will trigger the Lambda function to create a cross-region snapshot copy. During failover, Configure the Lambda function to restore the database from a snapshot in the backup region.

C : Use an ECS cluster to host a custom python script that calls the RDS API to create a snapshot of the database, create a cross-region snapshot copy, and restore the database instance from a snapshot in the backup region. Create a scheduled job using CloudWatch Events that triggers the Lambda function to snapshot a database instance every hour. Set up an SNS topic that will receive published messages about AWS-initiated RDS events from Trusted Advisor that will trigger the function to create a cross-region snapshot copy. During failover, restore the database from a snapshot in the backup region.

D : nfigure an Amazon RDS Multi-AZ Deployment configuration and place the standby instance in the us-west-1 region. Set up the RDS option group to enable multi-region availability for native automation of cross-region recovery as well as for continuous data replication. Set up a notification system using Amazon SNS which is integrated with AWS Health API to monitor RDS-related systems events and notify the Operations team. In the actual failover where the primary database instance is down, RDS will automatically make the standby instance in the backup region as the primary instance.

Answer: B

Question 5

A DevOps engineer needs a resilient CI/CD pipeline that builds container images, stores them in ECR, scans images for vulnerabilities, and is resilient to outages in upstream source image repositories. Which solution meets this?

A : Create a private ECR repo, scan images on push, replicate images from upstream repos with a replication rule.

B : Create a private ECR repo, scan images on push, replicate images from upstream repos with a replication rule

C : Create a public ECR repo, configure a pull-through cache rule, create a private repo to store images, enable basic scanning.

D : Create a private ECR repo, enable basic scanning, create a pull-through cache rule.

Answer: D