Free DOP-C01 Sample Questions — AWS DevOps Engineer - Professional (DOP-C01)

A company publishes application logs to an Amazon CloudWatch Logs log group in the us-east-1 Region. The company needs to export the logs from us-east-1 to the us-west-2 Region on a weekly basis. The logs must be encrypted in both Regions. Which solution will meet these requirements?

• A. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2
• B. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2
• C. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and turn on versioning for both S3 buckets. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2
• D. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with AWS KMS keys (SSE-KMS) and turn on versioning for both S3 buckets. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2

A DevOps Engineer must track the health of a stateless RESTful service sitting behind a Classic Load Balancer. The deployment of new application revisions is through a CI/CD pipeline. If the service's latency increases beyond a defined threshold, deployment should be stopped until the service has recovered. Which of the following methods allow for the QUICKEST detection time?

• A. Use Amazon CloudWatch metrics provided by Elastic Load Balancing to calculate average latency. Alarm and stop deployment when latency increases beyond the defined threshold
• B. Use AWS Lambda and Elastic Load Balancing access logs to detect average latency. Alarm and stop deployment when latency increases beyond the defined threshold
• C. Use AWS CodeDeploy's MinimumHealthyHosts setting to define thresholds for rolling back deployments. If these thresholds are breached, roll back the deployment
• D. Use Metric Filters to parse application logs in Amazon CloudWatch Logs. Create a filter for latency. Alarm and stop deployment when latency increases beyond the defined threshold

A company must collect user consent to a privacy agreement. The company deploys an application in six AWS Regions: two Regions in North America, two Regions in Europe, and two Regions in Asia. The application has a user base of 20 million to 30 million users. The company needs to read and write data that is related to each user's response. The company also must ensure that the responses are available in all six Regions. Which solution will meet these requirements with the LOWEST latency of reads and writes?

• A. Implement Amazon DocumentDB (with MongoDB compatibility) in each of the six Regions
• B. Implement Amazon DynamoDB global tables in each of the six Regions
• C. Implement Amazon ElastiCache for Redis replication groups in each of the six Regions
• D. Implement Amazon Elasticsearch Service (Amazon ES) in each of the six Regions

A company wants to use AWS CloudFormation for infrastructure deployment. The company has strict tagging and resource requirements and wants to limit the deployment to two Regions. Developers will need to deploy multiple versions of the same application. Which solution ensures resources are deployed in accordance with company policy?

• A. Create AWS Trusted Advisor checks to find and remediate unapproved CloudFormation StackSets
• B. Create a CloudFormation drift detection operation to find and remediate unapproved CloudFormation StackSets
• C. Create CloudFormation StackSets with approved CloudFormation templates
• D. Create AWS Service Catalog products with approved CloudFormation templates

A DevOps team manages an API running on-premises that serves as a backend for an Amazon API Gateway endpoint. Customers have been complaining about high response latencies, which the development team has verified using the API Gateway latency metrics in Amazon CloudWatch. To identify the cause, the team needs to collect relevant data without introducing additional latency. Which actions should be taken to accomplish this? (Choose two.)

• A. Install the CloudWatch agent server side and configure the agent to upload relevant logs to CloudWatch
• B. Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and upload those segments to X-Ray during each request
• C. Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and use the X-Ray daemon to upload segments to X-Ray
• D. Modify the on-premises application to send log information back to API Gateway with each request
• E. Modify the on-premises application to calculate and upload statistical data relevant to the API service requests to CloudWatch metrics

During the next CodePipeline run, the pipeline exits with a FAILED state during the build stage. The DevOps engineer verifies that the correct Systems Manager parameter path is in place for the environment variable values that were changed. The DevOps engineer also validates that the environment variable type is Parameter. Why did the pipeline fail?

• A. The CodePipeline IAM service role does not have the required IAM permissions to use Parameter Store
• B. The CodePipeline IAM service role does not have the required IAM permissions to use the aws/ssm KMS key
• C. The CodeBuild IAM service role does not have the required IAM permissions to use Parameter Store
• D. The CodeBuild IAM service role does not have the required IAM permissions to use the aws/ssm KMS key

A company is hosting a web application in an AWS Region. For disaster recovery purposes, a second region is being used as a standby. Disaster recovery requirements state that session data must be replicated between regions in near-real time and 1% of requests should route to the secondary region to continuously verify system functionality. Additionally, if there is a disruption in service in the main region, traffic should be automatically routed to the secondary region, and the secondary region must be able to scale up to handle all traffic. How should a DevOps engineer meet these requirements?

• A. In both regions, deploy the application on AWS Elastic Beanstalk and use Amazon DynamoDB global tables for session data. Use an Amazon Route 53 weighted routing policy with health checks to distribute the traffic across the regions
• B. In both regions, launch the application in Auto Scaling groups and use DynamoDB for session data. Use a Route 53 failover routing policy with health checks to distribute the traffic across the regions
• C. In both regions, deploy the application in AWS Lambda, exposed by Amazon API Gateway, and use Amazon RDS PostgreSQL with cross-region replication for session data. Deploy the web application with client-side logic to call the API Gateway directly
• D. In both regions, launch the application in Auto Scaling groups and use DynamoDB global tables for session data. Enable an Amazon CloudFront weighted distribution across regions. Point the Amazon Route 53 DNS record at the CloudFront distribution

A video-sharing company stores its videos in Amazon S3. The company has observed a sudden increase in video access requests, but the company does not know which videos are most popular. The company needs to identify the general access pattern for the video files. This pattern includes the number of users who access a certain file on a given day, as well as the number of pull requests for certain files. How can the company meet these requirements with the LEAST amount of effort?

• A. Activate S3 server access logging. Import the access logs into an Amazon Aurora database. Use an Aurora SQL query to analyze the access patterns
• B. Activate S3 server access logging. Use Amazon Athena to create an external table with the log files. Use Athena to create a SQL query to analyze the access patterns
• C. Invoke an AWS Lambda function for every S3 object access event. Configure the Lambda function to write the file access information, such as user, S3 bucket, and file key, to an Amazon Aurora database. Use an Aurora SQL query to analyze the access patterns
• D. Record an Amazon CloudWatch Logs log message for every S3 object access event. Configure a CloudWatch Logs log stream to write the file access information such as user. S3 bucket, and file key, to an Amazon Kinesis Data Analytics for SQL application. Perform a sliding window analysis

An online company uses Amazon EC2 Auto Scaling extensively to provide an excellent customer experience while minimizing the number of running EC2 instances. The company's self-hosted Puppet environment in the application layer manages the configuration of the instances. The IT manager wants the lowest licensing costs and wants to ensure that whenever the EC2 Auto Scaling group scales down, removed EC2 instances are deregistered from the Puppet master as soon as possible. How can the requirement be met?

• A. At instance launch time, use EC2 user data to deploy the AWS CodeDeploy agent. Use CodeDeploy to install the Puppet agent. When the Auto Scaling group scales out, run a script to register the newly deployed instances to the Puppet master. When the Auto Scaling group scales in, use the EC2 Auto Scaling EC2_INSTANCE_TERMINATING lifecycle hook to trigger de-registration from the Puppet master
• B. Bake the AWS CodeDeploy agent into the base AMI. When the Auto Scaling group scales out, use CodeDeploy to install the Puppet agent, and execute a script to register the newly deployed instances to the Puppet master. When the Auto Scaling group scales in, use the CodeDeploy ApplicationStop lifecycle hook to run a script to de-register the instance from the Puppet master
• C. At instance launch time, use EC2 user data to deploy the AWS CodeDeploy agent. When the Auto Scaling group scales out, use CodeDeploy to install the Puppet agent, and run a script to register the newly deployed instances to the Puppet master. When the Auto Scaling group scales in, use the EC2 user data instance stop script to run a script to de-register the instance from the Puppet master
• D. Bake the AWS Systems Manager agent into the base AMI. When the Auto Scaling group scales out, use the AWS Systems Manager to install the Puppet agent, and run a script to register the newly deployed instances to the Puppet master. When the Auto Scaling group scales in, use the Systems Manager instance stop lifecycle hook to run a script to de-register the instance from the Puppet master

A company updated the AWS CloudFormation template for a critical business application. The stack update process failed due to an error in the updated template, and AWS CloudFormation automatically began the stack rollback process. Later, a DevOps engineer discovered that the application was still unavailable and that the stack was in the UPDATE_ROLLBACK_FAILED state. Which combination of actions should the DevOps engineer perform so that the stack rollback can complete successfully? (Choose two.)

• A. Attach the AWSCIoudFormationFullAccess IAM policy to the AWS CloudFormation role
• B. Automatically recover the stack resources by using AWS CloudFormation drift detection
• C. Issue a ContinueUpdateRollback command from the AWS CloudFormation console or the AWS CLI
• D. Manually adjust the resources to match the expectations of the stack
• E. Update the existing AWS CloudFormation stack by using the original template

An application has microservices spread across different AWS accounts and is integrated with an on-premises legacy system for some of its functionality. Because of the segmented architecture and missing logs, every time the application experiences issues, it is taking too long to gather the logs to identify the issues. A DevOps Engineer must fix the log aggregation process and provide a way to centrally analyze the logs. Which is the MOST efficient and cost-effective solution?

• A. Collect system logs and application logs by using the Amazon CloudWatch Logs agent. Use the Amazon S3 API to export on-premises logs, and store the logs in an S3 bucket in a central account. Build an Amazon EMR cluster to reduce the logs and derive the root cause
• B. Collect system logs and application logs by using the Amazon CloudWatch Logs agent. Use the Amazon S3 API to import on-premises logs. Store all logs in S3 buckets in individual accounts. Use Amazon Macie to write a query to search for the required specific event-related data point
• C. Collect system logs and application logs using the Amazon CloudWatch Logs agent. Install the CloudWatch Logs agent on the on-premises servers. Transfer all logs from AWS to the on-premises data center. Use an Amazon Elasticsearch Logstash Kibana stack to analyze logs on premises
• D. Collect system logs and application logs by using the Amazon CloudWatch Logs agent. Install a CloudWatch Logs agent for on-premises resources. Store all logs in an S3 bucket in a central account. Set up an Amazon S3 trigger and an AWS Lambda function to analyze incoming logs and automatically identify anomalies. Use Amazon Athena to run ad hoc queries on the logs in the central account

A company gives its employees limited rights to AWS. DevOps engineers have the ability to assume an administrator role. For tracking purposes, the security team wants to receive a near-real-time notification when the administrator role is assumed. How should this be accomplished?

• A. Configure AWS Config to publish logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and send a notification to the security team when the administrator role is assumed
• B. Configure Amazon GuardDuty to monitor when the administrator role is assumed and send a notification to the security team
• C. Create an Amazon EventBridge (Amazon CloudWatch Events) event rule using an AWS Management Console sign-in events event pattern that publishes a message to an Amazon SNS topic if the administrator role is assumed
• D. Create an Amazon EventBridge (Amazon CloudWatch Events) events rule using an AWS API call that uses an AWS CloudTrail event pattern to trigger an AWS Lambda function that publishes a message to an Amazon SNS topic if the administrator role is assumed

A development team is using AWS CodeCommit to version control application code and AWS CodePipeline to orchestrate software deployments. The team has decided to use a remote master branch as the trigger for the pipeline to integrate code changes. A developer has pushed code changes to the CodeCommit repository, but noticed that the pipeline had no reaction, even after 10 minutes. Which of the following actions should be taken to troubleshoot this issue?

• A. Check that an Amazon CloudWatch Events rule has been created for the master branch to trigger the pipeline
• B. Check that the CodePipeline service role has permission to access the CodeCommit repository
• C. Check that the developer's IAM role has permission to push to the CodeCommit repository
• D. Check to see if the pipeline failed to start because of CodeCommit errors in Amazon CloudWatch Logs

A company is using AWS CodePipeline to deploy an application. According to a new guideline, a member of the company's security team must sign off on any application changes before the changes are deployed into production. The approval must be recorded and retained. Which combination of actions will meet these requirements? (Choose two.)

• A. Configure CodePipeline to write actions to Amazon CloudWatch Logs
• B. Configure CodePipeline to write actions to an Amazon S3 bucket at the end of each pipeline stage
• C. Create an AWS CloudTrail trail to deliver logs to Amazon S3
• D. Create a CodePipeline custom action to invoke an AWS Lambda function for approval. Create a policy that gives the security team access to manage CodePipeline custom actions
• E. Create a CodePipeline manual approval action before the deployment step. Create a policy that grants the security team access to approve manual approval stages

A company that uses electronic health records is running a fleet of Amazon EC2 instances with an Amazon Linux operating system. As part of patient privacy requirements, the company must ensure continuous compliance for patches for operating system and applications running on the EC2 instances. How can the deployments of the operating system and application patches be automated using a default and custom repository?

• A. Use AWS Systems Manager to create a new patch baseline including the custom repository. Run the AWS-RunPatchBaseline document using the run command to verify and install patches
• B. Use AWS Direct Connect to integrate the corporate repository and deploy the patches using Amazon CloudWatch scheduled events, then use the CloudWatch dashboard to create reports
• C. Use yum-config-manager to add the custom repository under /etc/yum.repos.d and run yum-config-manager-enable to activate the repository
• D. Use AWS Systems Manager to create a new patch baseline including the corporate repository. Run the AWS-AmazonLinuxDefaultPatchBaseline document using the run command to verify and install patches

A DevOps engineer needs to grant several external contractors access to a legacy application that runs on an Amazon Linux Amazon EC2 instance. The application server is available only in a private subnet. The contractors are not authorized for VPN access. What should the DevOps engineer do to grant the contactors access to the application server?

• A. Create an IAM user and SSH keys for each contractor. Add the public SSH key to the application server's SSH authorized_keys file. Instruct the contractors to install the AWS CLI and AWS Systems Manager Session Manager plugin, update their AWS credentials files with their private keys, and use the aws ssm start-session command to gain access to the target application server instance ID
• B. Ask each contractor to securely send their SSH public key. Add this public key to the application server's SSH authorized-keys file. Instruct the contractors to use their private key to connect to the application server through SSH
• C. Ask each contractor to securely send their SSH public key. Use EC2 pairs to import their key. Update the application server's SSH authorized_keys file. Instruct the contractors to use their private key to connect to the application server through SSH
• D. Create an IAM user for each contractor with programmatic access. Add each user to an IAM group that has a policy that allows the ssm:StartSession action. Instruct the contractors to install the AWS CLI and AWS Systems Manager Session Manager plugin, update their AWS credentials files with their access keys, and use the aws ssm start-session to gain access to the target application server instance ID

A DevOps engineer wants to implement an automated response that will occur if AWS Trusted Advisor detects an IAM access key in a public source code repository. The automated response must delete the exposed access key and must notify the security team. Which solution will meet these requirements?

• A. Create an AWS Lambda function to delete the IAM access key. Configure AWS CloudTrail logs to stream to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team
• B. Create an AWS Lambda function to delete the IAM access key. Create an AWS Config rule for changes to "aws.trustedadvisor" and the "Exposed Access Keys" status with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team
• C. Create an AWS Lambda function that deletes the IAM access key and then uses Amazon Simple Notification Service (Amazon SNS) to notify the security team. Create an AWS Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event. Set the target of the Personal Health Dashboard rule to the ARN of the Lambda function
• D. Create an AWS Lambda function that deletes the IAM access key. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an "aws.trustedadvisor" event source and the "Exposed Access Keys" status. Set the EventBridge (CloudWatch Events) rule to target the Lambda function and an Amazon Simple Notification Service (Amazon SNS) topic that notifies the security team

A company requires an RPO of 2 hours and an RTO of 10 minutes for its data and application at all times. An application uses a MySQL database and Amazon EC2 web servers. The development team needs a strategy for failover and disaster recovery. Which combination of deployment strategies will meet these requirements? (Choose two.)

• A. Create an Amazon Aurora cluster in one Availability Zone across multiple Regions as the data store. Use Aurora's automatic recovery capabilities in the event of a disaster
• B. Create an Amazon Aurora global database in two Regions as the data store. In the event of a failure, promote the secondary Region as the master for the application
• C. Create an Amazon Aurora multi-master cluster across multiple Regions as the data store. Use a Network Load Balancer to balance the database traffic in different Regions
• D. Set up the application in two Regions and use Amazon Route 53 failover-based routing that points to the Application Load Balancers in both Regions. Use health checks to determine the availability in a given Region. Use Auto Scaling groups in each Region to adjust capacity based on demand
• E. Set up the application in two Regions and use a multi-Region Auto Scaling group behind Application Load Balancers to manage the capacity based on demand. In the event of a disaster, adjust the Auto Scaling group's desired instance count to increase baseline capacity in the failover Region

The security team depends on AWS CloudTrail to detect sensitive security issues in the company's AWS account The DevOps engineer needs a solution to auto-remediate CloudTrail being turned off in an AWS account. What solution ensures the LEAST amount of downtime for the CloudTrail log deliveries?

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for the CloudTrail StopLogging event. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule
• B. Deploy the AWS-managed CloudTrail-enabled AWS Config rule, set with a periodic interval of 1 hour. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for AWS Config rules compliance change. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule
• C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for a scheduled event every 5 minutes. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on a CloudTrail trail in the AWS account. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule
• D. Launch a t2.nano instance with a script running every 5 minutes that uses the AWS SDK to query CloudTrail in the current account. If the CloudTrail trail is disabled, have the script re-enable the trail

A company needs to scan code changes for security issues before deployment and must prevent noncompliant code from being deployed. The company uses an AWS CodePipeline pipeline that starts when code changes occur. The code changes occur many times each day. The company's security team supports a third-party application for code scans and has provided command-line integration steps to submit code scans. The code scan step requires a user name and password. Which solution will meet these requirements in the MOST secure way?

• A. Create a new AWS CodeBuild project. Configure the user name and password in an environment variable. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project
• B. Create a new AWS CodeBuild project. Store the user name and password as a secret in AWS Secrets Manager Read the secret from Secrets Manager. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project
• C. Create a new AWS CodeBuild project. Store the user name and password as a string in AWS Systems Manager Parameter Store. Read the string from Parameter Store. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project
• D. Upload the user name and password in an encrypted JSON file to an Amazon S3 bucket that has a specific policy to allow only administrators to read the file. Create a new AWS CodeBuild project. Use the user name and password from the file in Amazon S3 to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project