DOP-C02 Free Practice Test

A company's application uses a fleet of Amazon EC2 On-Demand Instances to analyze and process data. The EC2 instances are in an Auto Scaling group. The Auto Scaling group is a target group for an Application Load Balancer (ALB). The application analyzes critical data that cannot tolerate interruption. The application also analyzes noncritical data that can withstand interruption.
The critical data analysis requires quick scalability in response to real-time application demand. The noncritical data analysis involves memory consumption. A DevOps engineer must implement a solution that reduces scale-out latency for the critical data. The solution also must process the noncritical data.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. For the critical data, modify the existing Auto Scaling grou
2. B. Create a warm pool instance in the stopped stat
3. C. Define the warm pool siz
4. D. Create a new version of the launch template that has detailed monitoring enable
5. E. use Spot Instances.
6. F. For the critical data, modify the existing Auto Scaling grou
7. G. Create a warm pool instance in the stopped stat
8. H. Define the warm pool siz
9. I. Create a new version of the launch template that has detailed monitoring enable
10. J. Use On-Demand Instances.
11. K. For the critical dat
12. L. modify the existing Auto Scaling grou
13. M. Create a lifecycle hook to ensure that bootstrap scripts are completed successfull
14. N. Ensure that the application on the instances is ready to accept traffic before the instances are registere
15. O. Create a new version of the launch template that has detailed monitoring enabled.
16. P. For the noncritical data, create a second Auto Scaling group that uses a launch templat
17. Q. Configure the launch template to install the unified Amazon CloudWatch agent and to configure the CloudWatch agent with a custom memory utilization metri
18. R. Use Spot Instance
19. S. Add the new Auto Scaling group as the target group for the AL
20. T. Modify the application to use two target groups for critical data and noncritical data.
21. . For the noncritical data, create a second Auto Scaling grou
22. . Choose the predefined memory utilization metric type for the target tracking scaling polic
23. . Use Spot Instance
24. . Add the new Auto Scaling group as the target group for the AL
25. . Modify the application to use two target groups for critical data and noncritical data.

Correct Answer: BD
✑ For the critical data, using a warm pool1 can reduce the scale-out latency by having pre-initialized EC2 instances ready to serve the application traffic. Using On-Demand Instances can ensure that the instances are always available and not interrupted by Spot interruptions2.
✑ For the noncritical data, using a second Auto Scaling group with Spot Instances can reduce the cost and leverage the unused capacity of EC23. Using a launch template with the CloudWatch agent4 can enable the collection of memory utilization metrics, which can be used to scale the group based on the memory
demand. Adding the second group as a target group for the ALB and modifying the application to use two target groups can enable routing the traffic based on the data type.
References: 1: Warm pools for Amazon EC2 Auto Scaling 2: Amazon EC2 On-Demand Capacity Reservations 3: Amazon EC2 Spot Instances 4: Metrics collected by the CloudWatch agent

A DevOps engineer at a company is supporting an AWS environment in which all users use AWS IAM Identity Center (AWS Single Sign-On). The company wants to immediately disable credentials of any new IAM user and wants the security team to receive a notification.
Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

1. A. Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail.
2. B. Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in AWS CloudTrail.
3. C. Create an AWS Lambda function that is a target of the EventBridge rul
4. D. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.
5. E. Create an AWS Lambda function that is a target of the EventBridge rul
6. F. Configure the Lambda function to delete the login profiles that are associated with the IAM user.
7. G. Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rul
8. H. Subscribe the security team's group email address to the topic.
9. I. Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda functio
10. J. Subscribe the security team's group email address to the queue.

Correct Answer: ACE

A DevOps engineer needs to apply a core set of security controls to an existing set of AWS accounts. The accounts are in an organization in AWS Organizations. Individual teams will administer individual accounts by using the AdministratorAccess AWS managed policy. For all accounts. AWS CloudTrail and AWS Config must be turned on in all available AWS Regions. Individual account administrators must not be able to edit or delete any of the baseline resources. However, individual account administrators must be able to edit or delete their own CloudTrail trails and AWS Config rules.
Which solution will meet these requirements in the MOST operationally efficient way?

1. A. Create an AWS CloudFormation template that defines the standard account resource
2. B. Deploy the template to all accounts from the organization's management account by using CloudFormation StackSet
3. C. Set the stack policy to deny Update:Delete actions.
4. D. Enable AWS Control Towe
5. E. Enroll the existing accounts in AWS Control Towe
6. F. Grant the individual account administrators access to CloudTrail and AWS Config.
7. G. Designate an AWS Config management accoun
8. H. Create AWS Config recorders in all accounts by using AWS CloudFormation StackSet
9. I. Deploy AWS Config rules to the organization by using the AWS Config management accoun
10. J. Create a CloudTrail organization trail in the organization’s management accoun
11. K. Deny modification or deletion of the AWS Config recorders by using an SCP.
12. L. Create an AWS CloudFormation template that defines the standard account resource
13. M. Deploy the template to all accounts from the organization's management account by using Cloud Formation StackSets Create an SCP that prevents updates or deletions to CloudTrail resources or AWS Config resources unless the principal is an administrator of the organization's management account.

Correct Answer: D

A company uses an Amazon API Gateway regional REST API to host its application API. The REST API has a custom domain. The REST API's default endpoint is deactivated.
The company's internal teams consume the API. The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
2. B. Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
3. C. Upload the provisioned client certificate to an Amazon S3 bucke
4. D. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
5. E. Upload the provisioned client certificate private key to an Amazon S3 bucke
6. F. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
7. G. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucke
8. H. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.

Correct Answer: AE
Mutual TLS (mTLS) authentication requires two-way authentication between the client and the server. For Amazon API Gateway, you can enable mTLS for a custom domain name, which requires clients to present X.509 certificates to verify their identity to access your API. To set up mTLS, you would typically use AWS Certificate Manager (ACM) to create a private certificate authority (CA) and provision a client certificate signed by this private
CA. The root CA certificate is then uploaded to an Amazon S3 bucket and configured in API Gateway as the trust store12.
References:
✑ Introducing mutual TLS authentication for Amazon API Gateway1.
✑ Configuring mutual TLS authentication for a REST API2.
✑ AWS Private Certificate Authority details3.
✑ AWS Certificate Manager Private Certificate Authority updates4.

A company is launching an application that stores raw data in an Amazon S3 bucket. Three applications need to access the data to generate reports. The data must be redacted differently for each application before
the applications can access the data.
Which solution will meet these requirements?

1. A. Create an S3 bucket for each applicatio
2. B. Configure S3 Same-Region Replication (SRR) from the raw data's S3 bucket to each application's S3 bucke
3. C. Configure each application to consume data from its own S3 bucket.
4. D. Create an Amazon Kinesis data strea
5. E. Create an AWS Lambda function that isinvoked by object creation events in the raw data's S3 bucke
6. F. Program the Lambda function to redact data for each applicatio
7. G. Publish the data on the Kinesis data strea
8. H. Configure each application to consume data from the Kinesis data stream.
9. I. For each application, create an S3 access point that uses the raw data's S3 bucket as the destinatio
10. J. Create an AWS Lambda function that is invoked by object creation events in the raw data's S3 bucke
11. K. Program the Lambda function to redact data for each applicatio
12. L. Store the data in each application's S3 access poin
13. M. Configure each application to consume data from its own S3 access point.
14. N. Create an S3 access point that uses the raw data's S3 bucket as the destinatio
15. O. For each application, create an S3 Object Lambda access point that uses the S3 access poin
16. P. Configure the AWS Lambda function for each S3 Object Lambda access point to redact data when objects are retrieve
17. Q. Configure each application to consume data from its own S3 Object Lambda access point.

Correct Answer: D
✑ The best solution is to use S3 Object Lambda1, which allows you to add your own code to S3 GET, LIST, and HEAD requests to modify and process data as it is returned to an application2. This way, you can redact the data differently for each application without creating and storing multiple copies of the data or running proxies.
✑ The other solutions are less efficient or scalable because they require replicating the data to multiple buckets, streaming the data through Kinesis, or storing the data in S3 access points.
References: 1: Amazon S3 Features | Object Lambda | AWS 2: Transforming objects with S3 Object Lambda - Amazon Simple Storage Service