Free Amazon DOP-C02 Exam Questions

Question 1

A company uses Amazon Redshift as its data warehouse solution. The company wants to create a dashboard to view changes to the Redshift users and the queries the users perform. Which combination of steps will meet this requirement? (Select TWO.)

A : Create an Amazon CloudWatch log group. Create an AWS CloudTrail trail that writes to the CloudWatch log group.

B : Create a new Amazon S3 bucket. Configure default audit logging on the Redshift cluster. Configure the S3 bucket as the target.

C : Configure the Redshift cluster database audit logging to include user activity logs. Configure Amazon CloudWatch as the target.

D : Create an Amazon CloudWatch dashboard that has a log widget. Configure the widget to display user details from the Redshift logs.

E : Create an AWS Lambda function that uses Amazon Athena to query the Redshift logs. Create an Amazon CloudWatch dashboard that has a custom widget type that uses the Lambda function.

Answer: B,D

Question 2

A leading IT consulting firm is building a GraphQL API service and a mobile application that lets people post photos and videos of the traffic situations and other issues in the city's public roads. Users can include a text report and constructive feedback to the authorities. The department of public works shall rectify the problems based on the data gathered by the system. In order for the mobile app to run on various mobile and tablet devices, the firm decided to develop it using the React Native mobile framework, which will consume and send data to the GraphQL API. The backend service will be responsible for storing the photos and videos in an Amazon S3 bucket. The API will also need access to the Amazon DynamoDB database to store the text reports. The firm has recently deployed the mobile app prototype, however, during testing, the GraphQL API showed a lot of issues. The team decided to remove the API to proceed with the project and refactor the mobile application instead so that it will directly connect to both DynamoDB and S3 as well as handle user authentication.

Which of the following options provides a cost-effective and scalable architecture for this project? (Select TWO.)

A : ing the STS AssumeRoleWithWebIdentity API, set up a web identity federation and register with various social identity providers like Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. Set up an IAM role for that provider and grant permissions for the IAM role to allow access to Amazon S3 and DynamoDB. Configure the mobile application to use the AWS access and secret keys to store the photos and videos to an S3 bucket and persist the text-based report to a DynamoDB table.

B : ing the STS AssumeRoleWithSAML API, set up a web identity federation and register with various social identity providers like Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. Set up an IAM role for that provider and grant permissions for the IAM role to allow access to Amazon S3 and DynamoDB. Configure the mobile app to use the AWS temporary security credentials to store the photos and videos to an S3 bucket and persist the text-based reports to the DynamoDB table.

C : eate an identity pool in AWS Identity and Access Management (IAM) that will be used to store the end-user identities organized for your mobile app. IAM will automatically create the required IAM roles for authenticated identities as well as for unauthenticated 'guest' identities that define permissions for the users. Download and integrate the AWS SDK for React Native with your app, and import the files required to use IAM. Configure your app to pass the credentials provider instance to the client object, which passes the temporary security credentials to the client.

D : eate an identity pool in Amazon Cognito that will be used to store the end-user identities organized for your mobile app. Amazon Cognito will automatically create the required IAM roles for authenticated identities as well as for unauthenticated 'guest' identities that define permissions for Amazon Cognito users. Download and integrate the AWS SDK for React Native with your app, and import the files required to use Amazon Cognito. Configure your app to pass the credentials provider instance to the client object, which passes the temporary security credentials to the client.

E : ing the STS AssumeRoleWithWebIdentity API, set up a web identity federation and register with social identity providers like Facebook, Google or any other OpenID Connect (OIDC)-compatible IdP. Create a new IAM Role and grant permissions to allow access to Amazon S3 and DynamoDB. Configure the mobile application to use the AWS temporary security credentials to store the photos and videos to an S3 bucket and persist the text-based reports to the DynamoDB table.

Answer: A,D

Question 3

A company updated the AWS CloudFormation template for a critical business application. The stack update process failed due to an error in the updated template, and AWS CloudFormation automatically began the stack rollback process. Later, a DevOps engineer discovered that the application was still unavailable and that the stack was in the UPDATE_ROLLBACK_FAILED state.

Which combination of actions should the DevOps engineer perform so that the stack rollback can complete successfully? (Choose two.)

A : tach the AWSCloudFormationFullAccess IAM policy to the AWS CloudFormation role.

B : tomatically recover the stack resources by using AWS CloudFormation drift detection.

C : ue a ContinueUpdateRollback command from the AWS CloudFormation console or the AWS CLI.

D : nually adjust the resources to match the expectations of the stack.

E : date the existing AWS CloudFormation stack by using the original template.

Answer: C,D

Question 4

A company has a data ingestion application that runs across multiple AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to monitor the application and consolidate access to the application. Currently, the company is running the application on Amazon EC2 instances from several Auto Scaling groups. The EC2 instances have no access to the internet because the data is sensitive. Engineers have deployed the necessary VPC endpoints. The EC2 instances run a custom AMI that is built specifically for the application.

To maintain and troubleshoot the application, system administrators need the ability to log in to the EC2 instances. This access must be automated and controlled centrally. The company’s security team must receive a notification whenever the instances are accessed.

Which solution will meet these requirements?

A : eate an Amazon EventBridge rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using AWS CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes AWS Systems Manager Agent.

B : ploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install AWS Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon S3 for auditing. Send notifications to the security team by using S3 event notifications.

C : EC2 Image Builder to rebuild the custom AMI. Include the most recent version of AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

D : AWS Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure AWS Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.

Answer: C

Question 5

A company uses a single AWS account to test applications on Amazon EC2 instances. The company has turned on AWS Config in the AWS account and has activated the restricted-ssh AWS Config managed rule.

The company needs an automated monitoring solution that will provide a customized notification in real time if any security group in the account is not compliant with the restricted-ssh rule. The customized notification must contain the name and ID of the noncompliant security group.

A DevOps engineer creates an Amazon Simple Notification Service (Amazon SNS) topic in the account and subscribes the appropriate personnel to the topic.

What should the DevOps engineer do next to meet these requirements?

A : eate an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish a notification to the SNS topic.

B : nfigure AWS Config to send all evaluation results for the restricted-ssh rule to the SNS topic. Configure a filter policy on the SNS topic to send only notifications that contain the text of NON_COMPLIANT in the notification to subscribers.

C : eate an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure the EventBridge rule to invoke AWS Systems Manager Run Command on the SNS topic to customize a notification and to publish the notification to the SNS topic.

D : eate an Amazon EventBridge rule that matches all AWS Config evaluation results of NON_COMPLIANT. Configure an input transformer for the restricted-ssh rule. Configure the EventBridge rule to publish a notification to the SNS topic.

Answer: A