Free Amazon DOP-C02 Exam Questions

Question 1

A company uses AWS Control Tower and Organizations for a multi-account environment. It needs to create new accounts and ensure they receive a consistent baseline configuration. Which solution meets the requirement with the least overhead?

A : Use Account Factory Customization (AFC) blueprints for baseline setup.

B : Use Account Factory + StackSets post-setup.

C : Use Organizations with Lambda applying baseline via access role.

D : Use Organizations + StackSets manually.

Answer: A

Question 2

A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub.

Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source.

Which solution will meet these requirements?

A : A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create an AWS Lambda function that will update the threat list. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

B : Configure an AWS WAF web ACL that includes a custom rule group. Create an AWS Lambda function that will create a block rule in the custom rule group. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

C : Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that will create a Drop action rule in the firewall policy. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty

D : Create an AWS Lambda function that will create a GuardDuty suppression rule. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

Answer: B

Question 3

A PHP web application is uploaded to the AWS Elastic Beanstalk of the company's development account to automatically handle the deployment, capacity provisioning, load balancing, auto-scaling, and application health monitoring. Amazon RDS is used as the database, and it is tightly coupled to the Elastic Beanstalk environment. A DevOps Engineer noticed that if you terminate the environment, its database goes down as well. This issue prevents you from performing seamless updates with blue-green deployments. Moreover, this poses a critical security risk if the company decides to deploy the application in its production environment.

How can the DevOps Engineer decouple the database instance from the environment with the LEAST amount of data loss?

A : couple the Amazon RDS instance from your Elastic Beanstalk environment using a blue/green deployment strategy. Enable deletion protection and take an RDS DB snapshot of the database. Set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance and delete the old environment.

B : couple the Amazon RDS instance from your Elastic Beanstalk environment using the blue/green deployment strategy to decouple. Take an RDS DB snapshot of the database and enable deletion protection. Set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance. Before terminating the old Elastic Beanstalk environment, remove its security group rule first before proceeding.

C : couple the Amazon RDS instance from your Elastic Beanstalk environment using the Canary deployment strategy. Take an RDS DB snapshot of the database and enable deletion protection. Set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance and delete the old environment.

D : couple the Amazon RDS instance from your Elastic Beanstalk environment using the Canary deployment strategy. Take an RDS DB snapshot of the database and then set up a new Elastic Beanstalk environment with the necessary information to connect to the Amazon RDS instance.

Answer: B

Question 4

A DevOps engineer is building the infrastructure for an application. The application needs to run on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that includes Amazon EC2 instances. The EC2 instances need to use an Amazon Elastic File System (Amazon EFS) file system as a storage backend. The Amazon EFS Container Storage Interface (CSI) driver is installed on the EKS cluster.

When the DevOps engineer starts the application, the EC2 instances do not mount the EFS file system.

Which solutions will fix the problem? (Choose three.)

A : Switch the EKS nodes from Amazon EC2 to AWS Fargate.

B : Add an inbound rule to the EFS file system’s security group to allow NFS traffic from the EKS cluster.

C : Create an IAM role that allows the Amazon EFS CSI driver to interact with the file system

D : Set up AWS DataSync to configure file transfer between the EFS file system and the EKS nodes.

E : Create a mount target for the EFS file system in the subnet of the EKS nodes.

F : Disable encryption or the EFS file system.

Answer: B,C,F

Question 5

A DevOps engineer is creating a CI/CD pipeline to build container images. The engineer needs to store container images in Amazon Elastic Container Registry (Amazon ECR) and scan the images for common vulnerabilities. The CI/CD pipeline must be resilient to outages in upstream source container image repositories. Which solution will meet these requirements?

A : Create an ECR private repository in the private registry to store the container images and scan images when images are pushed to the repository. Configure a replication rule in the private registry to replicate images from upstream repositories.

B : Create an ECR public repository in the public registry to cache images from upstream source repositories. Create an ECR private repository to store images. Configure the private repository to scan images when images are pushed to the repository.

C : Create an ECR public repository in the public registry. Configure a pull through cache rule for the repository. Create an ECR private repository to store images. Configure the ECR private registry to perform basic scanning.

D : Create an ECR private repository in the private registry to store the container images. Enable basic scanning for the private registry, and create a pull through cache rule.

Answer: C