Home/ Practice/ DOP-C02 Questions/ Page 2

AWS DOP-C02 Free Practice Questions — Page 2

DevOps Engineer Professional • 5 questions • Answers & explanations included

Question 6

A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account. The company has created an AWS Key Management Service (AWS KMS) key in the source account. Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)

A. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.
B. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the default Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action.
C. In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.
D. In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role.
E. In the source account, share the unencrypted AMI with the target account.
F. In the source account, share the encrypted AMI with the target account
Show Answer & Explanation

Correct Answers: A. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.; D. In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role.; F. In the source account, share the encrypted AMI with the target account

Why these are correct: A: You must copy the unencrypted AMI to create an encrypted version, specifying the KMS key from the source account. This creates an encrypted AMI that can be shared. D: The key policy must grant the target account permissions to create a grant, and the target account must create a KMS grant that delegates permissions to the Auto Scaling group service-linked role. This allows the Auto Scaling group to use the encrypted AMI and decrypt the EBS volumes. F: You must share the encrypted AMI (not the unencrypted one) with the target account so it can launch instances from it. Why other options are wrong: B: Using the default EBS encryption key won't work for cross-account sharing because the default key cannot be shared across accounts. You must use a customer-managed KMS key. C: Creating the grant in the source account for the target account's service-linked role is insufficient. The target account needs permissions to create the grant itself. E: Sharing the unencrypted AMI doesn't meet the encryption requirement.

Question 7

A company uses AWS CodePipeline pipelines to automate releases of its application A typical pipeline consists of three stages build, test, and deployment. The company has been using a separate AWS CodeBuild project to run scripts for each stage. However, the company now wants to use AWS CodeDeploy to handle the deployment stage of the pipelines. The company has packaged the application as an RPM package and must deploy the application to a eet of Amazon EC2 instances. The EC2 instances are in an EC2 Auto Scaling group and are launched from a common AMI. Which combination of steps should a DevOps engineer perform to meet these requirements? (Choose two.)

A. Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.
B. Create a new version of the common AMI with the CodeDeploy agent installed. Create an AppSpec le that contains application deployment scripts and grants access to CodeDeploy.
C. Create an application in CodeDeploy. Con gure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Add a step to the CodePipeline pipeline to use EC2 Image Builder to create a new AMI. Con gure CodeDeploy to deploy the newly created AMI.
D. Create an application in CodeDeploy. Con gure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.
E. Create an application in CodeDeploy. Con gure an in-place deployment type. Specify the EC2 instances that are launched from the common AMI as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.
Show Answer & Explanation

Correct Answers: A. Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.; D. Create an application in CodeDeploy. Con gure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.

Why these are correct: A: The CodeDeploy agent must be installed on EC2 instances for CodeDeploy to manage deployments. Creating a new AMI with the agent pre-installed ensures all instances launched by Auto Scaling have it. The IAM role must have permissions to access CodeDeploy services. D: Creating a CodeDeploy application with in-place deployment type allows updating existing instances. Specifying the Auto Scaling group as the deployment target enables CodeDeploy to manage all instances in the group. Adding the CodeDeploy action to the pipeline integrates the deployment stage. Why other options are wrong: B: The AppSpec file defines deployment steps but doesn't "grant access to CodeDeploy"—that's done through IAM roles. C: CodeDeploy in-place deployments update existing instances; they don't create new AMIs during deployment. EC2 Image Builder is unnecessary for this use case. E: Specifying individual EC2 instances as targets doesn't work well with Auto Scaling, as instances can be terminated and replaced. Targeting the Auto Scaling group is the correct approach.

Question 8

A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has con gured AWS Con g for the organization. During an audit, the company nds some externally facing ALBs that are not associated with AWS WAF web ACLs. Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.)

A. Delegate AWS Firewall Manager to a security account.
B. Delegate Amazon GuardDuty to a security account.
C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
E. Con gure an AWS Con g managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs
Show Answer & Explanation

Correct Answers: A. Delegate AWS Firewall Manager to a security account.; C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

Why these are correct: A: AWS Firewall Manager must be delegated to a security account to centrally manage WAF policies across all accounts in the organization. This provides centralized security management. C: Firewall Manager policies can automatically attach WAF web ACLs to resources like ALBs and API Gateway APIs as they're created. This ensures compliance and prevents violations proactively. Why other options are wrong: B & D: Amazon GuardDuty is a threat detection service, not a policy enforcement tool. It doesn't manage WAF web ACLs or attach them to resources. E: AWS Config detects compliance violations but doesn't proactively attach WAF web ACLs to newly created resources. It's reactive rather than preventive, and Config rules don't "attach" resources—they only report compliance status.

Question 9

A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to be noti ed when any keys have not been rotated after 90 days. Which solution will accomplish this?

A. Con gure AWS KMS to publish to an Amazon Simple Noti cation Service (Amazon SNS) topic when keys are more than 90 days old.
B. Con gure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon Simple Noti cation Service (Amazon SNS) topic.
C. Develop an AWS Con g custom rule that publishes to an Amazon Simple Noti cation Service (Amazon SNS) topic when keys are more than 90 days old.
D. Con gure AWS Security Hub to publish to an Amazon Simple Noti cation Service (Amazon SNS) topic when keys are more than 90 days old
Show Answer & Explanation

Correct Answer: C. Develop an AWS Con g custom rule that publishes to an Amazon Simple Noti cation Service (Amazon SNS) topic when keys are more than 90 days old.

Why C is correct: AWS Config custom rules can evaluate resource configurations against specific criteria. A custom rule can check the last rotation date of KMS keys and determine if they exceed 90 days. When keys are non-compliant (not rotated), the rule can trigger an SNS notification to alert the security team. Config continuously monitors resources, making it ideal for this compliance requirement.Why other options are wrong: A: AWS KMS does not have a built-in feature to publish to SNS when keys haven't been rotated. Manual rotation doesn't trigger automatic notifications. B: AWS Trusted Advisor doesn't have specific checks for KMS key rotation age. This would require custom logic that Trusted Advisor doesn't provide. D: AWS Security Hub aggregates security findings from various services but doesn't have a native check for KMS key rotation age that triggers SNS notifications.

Question 10

A security review has identi ed that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team does not allow unauthenticated requests to S3 buckets for this project. How can this issue be corrected in the MOST secure manner?

A. Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the AWS CLI to download the database population script.
B. Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token and download the database population script.
C. Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script.
D. Remove unauthenticated access from the S3 bucket with a bucket policy. Use the AWS CLI to download the database population script using an IAM access key and a secret access key.
Show Answer & Explanation

Correct Answer: C. Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script.

Why C is correct: Removing unauthenticated access via a bucket policy enforces security. Modifying the CodeBuild service role to include S3 permissions allows CodeBuild to authenticate using IAM, which is AWS best practice. Using the AWS CLI to download the script leverages the service role's credentials automatically. This is the most secure approach using IAM-based authentication. Why other options are wrong: A: CodeBuild doesn't have an "AllowedBuckets" section in project settings. This isn't a valid configuration option. B: S3 doesn't support HTTPS basic authentication with tokens. S3 uses IAM for authentication and authorization. D: Hardcoding IAM access keys and secret access keys in the build spec is a major security anti-pattern. Credentials should never be embedded in code or configuration files. Using the service role is the secure method.

Ready for the Full DOP-C02 Experience?

Access all 71 pages of practice questions, track your progress, and simulate the real exam with timed mode.

Start Interactive Quiz →