Home/ Practice/ DOP-C02 Questions/ Page 3

AWS DOP-C02 Free Practice Questions — Page 3

DevOps Engineer Professional • 5 questions • Answers & explanations included

Question 11

An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has con gured SAML 2.0. The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources. Which combination of steps will meet these requirements? (Choose three.)

A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
E. Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.
Show Answer & Explanation

Correct Answers: B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.; C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.; F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.

Why these are correct: B: Permission sets in IAM Identity Center define what users can do. Using inline policies with the aws:PrincipalTag condition key allows scoping permissions based on user attributes, implementing least privilege. C: Creating groups in the IdP and assigning them to accounts and permission sets establishes the connection between users, their permissions, and which accounts they can access. F: Enabling attributes for access control and mapping attributes from the IdP as key-value pairs allows user attributes (like team or department) to be used in permission policies for fine-grained access control. Why other options are wrong: A: IAM policies are created in individual AWS accounts, not in IAM Identity Center. Permission sets are the correct construct for IAM Identity Center. D: You don't assign groups to OUs or directly to IAM policies in IAM Identity Center. The assignment is to accounts and permission sets. E: While you can apply tags to users, the question specifies using an external IdP, so attributes should be mapped from the IdP rather than manually applied as tags.

Question 12

An ecommerce company is receiving reports that its order history page is experiencing delays in re ecting the processing status of orders. The order processing system consists of an AWS Lambda function that uses reserved concurrency. The Lambda function processes order messages from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table has auto scaling enabled for read and write capacity. Which actions should a DevOps engineer take to resolve this delay? (Choose two.)

A. Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit.
B. Check the ApproximateAgeOfOldestMessage metnc for the SQS queue Con gure a redrive policy on the SQS queue.
C. Check the NumberOfMessagesSent metric for the SQS queue. Increase the SQS queue visibility timeout.
D. Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity units (WCUs) for the table's scaling policy.
E. Check the Throttles metric for the Lambda function. Increase the Lambda function timeout
Show Answer & Explanation

Correct Answers: A. Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit.; D. Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity units (WCUs) for the table's scaling policy.

Why these are correct: A: ApproximateAgeOfOldestMessage indicates how long messages are waiting in the queue. If this metric is high, messages aren't being processed quickly enough. Increasing Lambda concurrency allows more function instances to process messages simultaneously, reducing the backlog. D: WriteThrottleEvents indicates DynamoDB is rejecting write requests due to insufficient capacity. If Lambda is being throttled when writing to DynamoDB, increasing the maximum WCUs in the auto scaling policy allows the table to scale up and handle more writes. Why other options are wrong: B: A redrive policy sends failed messages to a dead-letter queue but doesn't address processing delays for valid messages. C: NumberOfMessagesSent measures incoming message rate, not processing delays. Increasing visibility timeout only helps if messages are being processed but not deleted in time, which isn't the issue here. E: Lambda throttles occur when concurrent executions are limited, not due to function timeout. Increasing timeout doesn't address concurrency limits or cold starts.

Question 13

A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week. The company's security policy requires all running EC2 instances to use an EC2 instance pro le. If an EC2 instance does not have an instance pro le attached, the EC2 instance must use a default instance pro le that has no IAM permissions assigned. A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance pro le. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance pro le. Which solution will ensure that an instance pro le is attached to all existing and future EC2 instances in the Region?

A. Con gure an Amazon EventBridge rule that reacts to EC2 RunInstances API calls. Con gure the rule to invoke an AWS Lambda function to attach the default instance pro le to the EC2 instances.
B. Con gure the ec2-instance-pro le-attached AWS Con g managed rule with a trigger type of con guration changes. Con gure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance pro le to the EC2 instances.
C. Con gure an Amazon EventBridge rule that reacts to EC2 StartInstances API calls. Con gure the rule to invoke an AWS Systems Manager Automation runbook to attach the default instance pro le to the EC2 instances
D. Con gure the iam-role-managed-policy-check AWS Con g managed rule with a trigger type of con guration changes. Con gure an automatic remediation action that invokes an AWS Lambda function to attach the default instance pro le to the EC2 instances
Show Answer & Explanation

Correct Answer: B. Con gure the ec2-instance-pro le-attached AWS Con g managed rule with a trigger type of con guration changes. Con gure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance pro le to the EC2 instances.

Why B is correct: The ec2-instance-profile-attached AWS Config managed rule continuously monitors EC2 instances and checks if they have instance profiles attached. Using a trigger type of configuration changes ensures the rule evaluates whenever instances are launched or modified. The automatic remediation action with Systems Manager Automation can immediately attach the default instance profile to non-compliant instances. This solution handles both existing instances and future launches automatically. Why other options are wrong: A: RunInstances API calls occur when instances are launched, but this doesn't address existing running instances without profiles. It's also reactive rather than continuous monitoring. C: StartInstances API calls only occur when stopped instances are started, not when new instances are launched. This misses the primary use case. D: The iam-role-managed-policy-check rule checks IAM role policies, not whether EC2 instances have instance profiles attached. It's the wrong Config rule for this requirement.

Question 14

A DevOps engineer is building a continuous deployment pipeline for a serverless application that uses AWS Lambda functions. The company wants to reduce the customer impact of an unsuccessful deployment. The company also wants to monitor for issues. Which deploy stage con guration will meet these requirements?

A. Use an AWS Serverless Application Model (AWS SAM) template to de ne the serverless application. Use AWS CodeDeploy to deploy the Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health of the functions.
B. Use AWS CloudFormation to publish a new stack update, and include Amazon CloudWatch alarms on all resources. Set up an AWS CodePipeline approval action for a developer to verify and approve the AWS CloudFormation change set.
C. Use AWS CloudFormation to publish a new version on every stack update, and include Amazon CloudWatch alarms on all resources. Use the RoutingCon g property of the AWS::Lambda::Alias resource to update the tra c routing during the stack update.
D. Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions. Publish a new version of the functions, and include Amazon CloudWatch alarms. Update the production alias to point to the new version. Con gure rollbacks to occur when an alarm is in the ALARM state.
Show Answer & Explanation

Correct Answer: A. Use an AWS Serverless Application Model (AWS SAM) template to de ne the serverless application. Use AWS CodeDeploy to deploy the Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health of the functions.

Why A is correct: AWS SAM integrates seamlessly with CodeDeploy for Lambda deployments. The Canary10Percent15Minutes deployment preference gradually shifts traffic (10% initially, then 100% after 15 minutes if no issues occur). CloudWatch alarms can monitor function health (errors, duration, throttles), and if alarms trigger, CodeDeploy automatically rolls back the deployment. This provides safe, gradual deployment with automated rollback, minimizing customer impact. Why other options are wrong: B: Manual approval actions don't reduce customer impact of unsuccessful deployments—they only add human review, which slows down deployment and doesn't provide automatic rollback or gradual traffic shifting. C: While you can use the RoutingConfig property for traffic shifting, this approach requires manual CloudFormation stack updates and doesn't provide CodeDeploy's integrated monitoring and automatic rollback capabilities. D: Testing with sample payloads doesn't validate production behavior. Manual alias updates and monitoring alarms don't provide the automated, gradual traffic shifting that canary deployments offer.

Question 15

To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classi cation of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed. Which of the following should successfully install the application while complying with the new rule?

A. Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
B. Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance pro le to the EC2 instances so they can read the application artifacts from the S3 bucket.
D. Create a security group for the application instances and allow only outbound tra c to the artifact repository. Remove the security group rule once the install is complete.
Show Answer & Explanation

Correct Answer: C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance pro le to the EC2 instances so they can read the application artifacts from the S3 bucket.

Why C is correct: Publishing artifacts to S3 and creating a VPC endpoint for S3 allows EC2 instances in private subnets to access S3 without internet access. The VPC endpoint provides a private connection to S3 within the VPC. Assigning an IAM instance profile gives the instances permissions to read from the S3 bucket. This fully complies with the no-internet-access requirement while allowing artifact retrieval. Why other options are wrong: A: Using Elastic IP addresses and then disassociating them still provides internet access during installation, violating the security requirement. B: NAT gateway provides internet access for private subnets, which violates the "no access to the internet" requirement. D: Allowing outbound traffic to an artifact repository (assuming it's internet-based) still violates the no-internet-access rule. Additionally, temporarily allowing and then removing security group rules is operationally complex and error-prone.

Ready for the Full DOP-C02 Experience?

Access all 71 pages of practice questions, track your progress, and simulate the real exam with timed mode.

Start Interactive Quiz →

Recommended Next Certifications

After DOP-C02, consider these certification paths:

SAP-C02 — Solutions Architect Professional SCS-C02 — Security Specialty