DOP-C02 AWS Certified DevOps Engineer- Professional Free Demo Questions – Try Before You Buy

Question 1

A company hosts a security auditing application in an AWS account. The auditing application uses an
IAM role to access other AWS accounts. All the accounts are in the same organization in AWS
Organizations.
A recent security audit revealed that users in the audited AWS accounts could modify or delete the
auditing application's IAM role. The company needs to prevent any modification to the auditing
application's IAM role by any entity other than a trusted administrator IAM role.
Which solution will meet these requirements?

A

Create an SCP that includes a Deny statement for changes to the auditing application's IAM role.
Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP
to the root of the organization.

B

Create an SCP that includes an Allow statement for changes to the auditing application's IAM role
by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM
principals. Attach the SCP to the IAM service in each AWS account where the auditing application has
an IAM role.

C

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application's IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the audited AWS accounts.

D

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application’s IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the auditing application's IAM role in the AWS
accounts.

Correct Answer: A

Explanation:

SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level,
which in this case would be used to restrict modifications to the IAM role used by the auditing
application, while still allowing trusted administrators to make changes to it. Options C and D are not
as effective because IAM permission boundaries are applied to IAM entities (users, groups, and
roles), not the account itself, and must be applied to all IAM entities in the account.

Question 2

A company has an AWS CodePipeline pipeline that is configured with an Amazon S3 bucket in the euwest-1 Region. The pipeline deploys an AWS Lambda application to the same Region. The pipeline
consists of an AWS CodeBuild project build action and an AWS CloudFormation deploy action.
The CodeBuild project uses the aws cloudformation package AWS CLI command to build an artifact
that contains the Lambda function code’s .zip file and the CloudFormation template. The
CloudFormation deploy action references the CloudFormation template from the output artifact of
the CodeBuild project’s build action.
The company wants to also deploy the Lambda application to the us-east-1 Region by using the
pipeline in eu-west-1. A DevOps engineer has already updated the CodeBuild project to use the aws
cloudformation package command to produce an additional output artifact for us-east-1.
Which combination of additional steps should the DevOps engineer take to meet these
requirements? (Choose two.)

A

Modify the CloudFormation template to include a parameter for the Lambda function code’s zip
file location. Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the
new deploy action to pass in the us-east-1 artifact location as a parameter override.

B

Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the new
deploy action to use the CloudFormation template from the us-east-1 output artifact.

C

Create an S3 bucket in us-east-1. Configure the S3 bucket policy to allow CodePipeline to have
read and write access.

D

Create an S3 bucket in us-east-1. Configure S3 Cross-Region Replication (CRR) from the S3 bucket
in eu-west-1 to the S3 bucket in us-east-1.

E

Modify the pipeline to include the S3 bucket for us-east-1 as an artifact store. Create a new
CloudFormation deploy action for us-east-1 in the pipeline. Configure the new deploy action to use
the CloudFormation template from the us-east-1 output artifact.

Correct Answer: A, B

Explanation:

A) The CloudFormation template should be modified to include a parameter that indicates the
location of the .zip file containing the Lambda function's code. This allows the CloudFormation
deploy action to use the correct artifact depending on the region. This is critical because Lambda
functions need to reference their code artifacts from the same region they are being deployed in. B.
You would also need to create a new CloudFormation deploy action for the us-east-1 Region within
the pipeline. This action should be configured to use the CloudFormation template from the artifact
that was specifically created for us-east-1.

Question 3

A company has containerized all of its in-house quality control applications. The company is running
Jenkins on Amazon EC2 instances, which require patching and upgrading. The compliance officer has
requested a DevOps engineer begin encrypting build artifacts since they contain company
intellectual property.
What should the DevOps engineer do to accomplish this in the MOST maintainable manner?

A

Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt
Amazon EBS volumes by default.

B

Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with
default encryption enabled.

C

Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets
Manager.

D

Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2
instances.

Correct Answer: D

Explanation:

The following are the steps involved in accomplishing this in the most maintainable manner:
Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2
instances.
Configure CodeBuild to encrypt the build artifacts using AWS Secrets Manager.
Deploy the containerized quality control applications to CodeBuild.
This approach is the most maintainable because it eliminates the need to manage Jenkins on EC2
instances. CodeBuild is a managed service, so the DevOps engineer does not need to worry about
patching or upgrading the service https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html Build artifact
encryption - CodeBuild requires access to an AWS KMS CMK in order to encrypt its build output
artifacts. By default, CodeBuild uses an AWS Key Management Service CMK for Amazon S3 in your
AWS account. If you do not want to use this CMK, you must create and configure a customermanaged CMK. For more information Creating keys.

Demo Amazon DOP-C02 Exam Questions

Create an SCP that includes a Deny statement for changes to the auditing application's IAM role.
Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP
to the root of the organization.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application's IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the audited AWS accounts.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application’s IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the auditing application's IAM role in the AWS
accounts.

Correct Answer: A

Modify the CloudFormation template to include a parameter for the Lambda function code’s zip
file location. Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the
new deploy action to pass in the us-east-1 artifact location as a parameter override.

Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the new
deploy action to use the CloudFormation template from the us-east-1 output artifact.

Create an S3 bucket in us-east-1. Configure the S3 bucket policy to allow CodePipeline to have
read and write access.

Create an S3 bucket in us-east-1. Configure S3 Cross-Region Replication (CRR) from the S3 bucket
in eu-west-1 to the S3 bucket in us-east-1.

Modify the pipeline to include the S3 bucket for us-east-1 as an artifact store. Create a new
CloudFormation deploy action for us-east-1 in the pipeline. Configure the new deploy action to use
the CloudFormation template from the us-east-1 output artifact.

Correct Answer: A, B

Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt
Amazon EBS volumes by default.

Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with
default encryption enabled.

Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets
Manager.

Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2
instances.

Correct Answer: D

Demo Practice Mode

Demo Amazon DOP-C02 Exam Questions

Create an SCP that includes a Deny statement for changes to the auditing application's IAM role.Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCPto the root of the organization.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditingapplication's IAM role. Include a condition that allows the trusted administrator IAM role to makechanges. Attach the permissions boundary to the audited AWS accounts.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditingapplication’s IAM role. Include a condition that allows the trusted administrator IAM role to makechanges. Attach the permissions boundary to the auditing application's IAM role in the AWSaccounts.

Correct Answer: A

Modify the CloudFormation template to include a parameter for the Lambda function code’s zipfile location. Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure thenew deploy action to pass in the us-east-1 artifact location as a parameter override.

Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the newdeploy action to use the CloudFormation template from the us-east-1 output artifact.

Create an S3 bucket in us-east-1. Configure the S3 bucket policy to allow CodePipeline to haveread and write access.

Create an S3 bucket in us-east-1. Configure S3 Cross-Region Replication (CRR) from the S3 bucketin eu-west-1 to the S3 bucket in us-east-1.

Modify the pipeline to include the S3 bucket for us-east-1 as an artifact store. Create a newCloudFormation deploy action for us-east-1 in the pipeline. Configure the new deploy action to usethe CloudFormation template from the us-east-1 output artifact.

Correct Answer: A, B

Automate patching and upgrading using AWS Systems Manager on EC2 instances and encryptAmazon EBS volumes by default.

Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket withdefault encryption enabled.

Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS SecretsManager.

Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2instances.

Correct Answer: D

Demo Practice Mode

Create an SCP that includes a Deny statement for changes to the auditing application's IAM role.
Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP
to the root of the organization.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application's IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the audited AWS accounts.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing
application’s IAM role. Include a condition that allows the trusted administrator IAM role to make
changes. Attach the permissions boundary to the auditing application's IAM role in the AWS
accounts.

Modify the CloudFormation template to include a parameter for the Lambda function code’s zip
file location. Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the
new deploy action to pass in the us-east-1 artifact location as a parameter override.

Create a new CloudFormation deploy action for us-east-1 in the pipeline. Configure the new
deploy action to use the CloudFormation template from the us-east-1 output artifact.

Create an S3 bucket in us-east-1. Configure the S3 bucket policy to allow CodePipeline to have
read and write access.

Create an S3 bucket in us-east-1. Configure S3 Cross-Region Replication (CRR) from the S3 bucket
in eu-west-1 to the S3 bucket in us-east-1.

Modify the pipeline to include the S3 bucket for us-east-1 as an artifact store. Create a new
CloudFormation deploy action for us-east-1 in the pipeline. Configure the new deploy action to use
the CloudFormation template from the us-east-1 output artifact.

Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt
Amazon EBS volumes by default.

Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with
default encryption enabled.

Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets
Manager.

Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2
instances.