Free Amazon DOP-C02 Exam Questions

Question 1

A cloud team uses AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On) to manage a company's AWS accounts. The company recently established a research team. The research team requires the ability to fully manage the resources in its account. The research team must not be able to create IAM users.

The cloud team creates a Research Administrator permission set in IAM Identity Center for the research team. The permission set has the AdministratorAccess AWS managed policy attached. The cloud team must ensure that no one on the research team can create IAM users.

Which solution will meet these requirements?

A : Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to the Research Administrator permission set.

B : . Create an IAM policy that allows all actions except the iam:CreateUser action. Use the IAM policy to set the permissions boundary for the Research Administrator permission set.

C : Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team's AWS account.

D : reate an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke the Lambda function.

Answer: C

Question 2

A company uses AWS CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the main branch when the changes are ready for production.

The developers should not be able to push changes directly to the main branch. The company applied the AWSCodeCommitPowerUser managed policy to the developers’ IAM role, and now these developers can push changes to the main branch directly on every repository in the AWS account.

What should the company do to restrict the developers’ ability to push changes to the main branch directly?

A : eate an additional policy to include a Deny rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the main branch.

B : move the IAM policy, and add an AWSCodeCommitReadOnly managed policy. Add an Allow rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

C : dify the IAM policy. Include a Deny rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

D : eate an additional policy to include an Allow rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the feature branches.

Answer: A

Question 3

A DevOps engineer needs to configure an AWS CodePipeline pipeline that publishes container images to an Amazon ECR repository. The pipeline must wait for the previous run to finish and must run when new Git tags are pushed to a Git repository connected to AWS CodeConnections. An existing deployment pipeline must run in response to new container image publications. Which solution will meet these requirements?

A : Configure a CodePipeline V2 type pipeline that uses QUEUED mode. Add a trigger filter to the pipeline definition that includes all tags. Configure an EventBridge rule that matches container image pushes to start the existing deployment pipeline.

B : Configure a CodePipeline V2 type pipeline that uses SUPERSEDED mode. Add a trigger filter to the pipeline definition that includes all branches. Configure an EventBridge rule that matches container image pushes to start the existing deployment pipeline.

C : Configure a CodePipeline V1 type pipeline that uses SUPERSEDED mode. Add a trigger filter to the pipeline definition that includes all tags. Add a stage at the end of the pipeline to invoke the existing deployment pipeline.

D : Configure a CodePipeline V1 type pipeline that uses QUEUED mode. Add a trigger filter to the pipeline definition that includes all branches. Add a stage at the end of the pipeline to invoke the existing deployment pipeline.

Answer: A

Question 4

A DevOps engineer is building the infrastructure for an application. The application needs to run on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that includes Amazon EC2 instances. The EC2 instances need to use an Amazon Elastic File System (Amazon EFS) file system as a storage backend. The Amazon EFS Container Storage Interface (CSI) driver is installed on the EKS cluster.

When the DevOps engineer starts the application, the EC2 instances do not mount the EFS file system.

Which solutions will fix the problem? (Choose three.)

A : Switch the EKS nodes from Amazon EC2 to AWS Fargate.

B : Add an inbound rule to the EFS file system’s security group to allow NFS traffic from the EKS cluster.

C : Create an IAM role that allows the Amazon EFS CSI driver to interact with the file system

D : Set up AWS DataSync to configure file transfer between the EFS file system and the EKS nodes.

E : Create a mount target for the EFS file system in the subnet of the EKS nodes.

F : Disable encryption or the EFS file system.

Answer: B,C,F

Question 5

A popular e-commerce website which has customers across the globe is hosted in the us-east-1 AWS region with a backup site in the us-west-1 region. Due to an unexpected regional outage in the us-east-1 region, the company initiated their disaster recovery plan and turned on the backup site. However, they discovered that the actual failover still entails several hours of manual effort to prepare and switch over the database. They also noticed that the database is missing up to three hours of data transactions when the regional outage happened. Which of the following solutions should the DevOps engineer implement which will improve the RTO and RPO of the website for the cross-region failover?

A : eate a snapshot every hour using Amazon RDS scheduled instance lifecycle events which will also allow you to monitor specific RDS events. Perform a cross-region snapshot copy into the us-west-1 backup region once the SnapshotCreateComplete event occurred. Create an Amazon CloudWatch Alert which will trigger an action to restore the Amazon RDS database snapshot in the backup region when the CPU Utilization metric of the RDS instance in CloudWatch falls to 0% for more than 15 minutes.

B : Step Functions with 2 Lambda functions that call the RDS API to create a snapshot of the database, create a cross-region snapshot copy, and restore the database instance from a snapshot in the backup region. Use CloudWatch Events to trigger the function to take a database snapshot every hour. Set up an SNS topic that will receive published messages from AWS Health API, RDS availability and other events that will trigger the Lambda function to create a cross-region snapshot copy. During failover, Configure the Lambda function to restore the database from a snapshot in the backup region.

C : Use an ECS cluster to host a custom python script that calls the RDS API to create a snapshot of the database, create a cross-region snapshot copy, and restore the database instance from a snapshot in the backup region. Create a scheduled job using CloudWatch Events that triggers the Lambda function to snapshot a database instance every hour. Set up an SNS topic that will receive published messages about AWS-initiated RDS events from Trusted Advisor that will trigger the function to create a cross-region snapshot copy. During failover, restore the database from a snapshot in the backup region.

D : nfigure an Amazon RDS Multi-AZ Deployment configuration and place the standby instance in the us-west-1 region. Set up the RDS option group to enable multi-region availability for native automation of cross-region recovery as well as for continuous data replication. Set up a notification system using Amazon SNS which is integrated with AWS Health API to monitor RDS-related systems events and notify the Operations team. In the actual failover where the primary database instance is down, RDS will automatically make the standby instance in the backup region as the primary instance.

Answer: B