DOP-C02 Free Practice Test

A company has developed an AWS Lambda function that handles orders received through an API. The company is using AWS CodeDeploy to deploy the Lambda function as the final stage of a CI/CD pipeline.
A DevOps engineer has noticed there are intermittent failures of the ordering API for a few seconds after deployment. After some investigation the DevOps engineer believes the failures are due to database changes not having fully propagated before the Lambda function is invoked
How should the DevOps engineer overcome this?

1. A. Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before traffic can flow to the new version of the Lambda function.
2. B. Add an AfterAlIowTraffic hook to the AppSpec file that forces traffic to wait for any pending database changes before allowing the new version of the Lambda function to respond.
3. C. Add a BeforeAllowTraffic hook to the AppSpec file that tests and waits for any necessary database changes before deploying the new version of the Lambda function.
4. D. Add a validateService hook to the AppSpec file that inspects incoming traffic and rejects the payload if dependent services such as the database are not yet ready.

Correct Answer: A
https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html#appspec-hooks-lambda

A company uses AWS Organizations to manage multiple accounts. Information security policies require that all unencrypted Amazon EBS volumes be marked as non-compliant. A DevOps engineer needs to automatically deploy the solution and ensure that this compliance check is always present.
Which solution will accomplish this?

1. A. Create an AWS CloudFormation template that defines an AWS Inspector rule to check whether EBS encryption is enable
2. B. Save the template to an Amazon S3 bucket that has been shared with all accounts within the compan
3. C. Update the account creation script pointing to the CloudFormation template in Amazon S3.
4. D. Create an AWS Config organizational rule to check whether EBS encryption is enabled and deploy the rule using the AWS CL
5. E. Create and apply an SCP to prohibit stopping and deleting AWS Config across the organization.
6. F. Create an SCP in Organization
7. G. Set the policy to prevent the launch of Amazon EC2 instances without encryption on the EBS volumes using a conditional expressio
8. H. Apply the SCP to all AWS account
9. I. Use Amazon Athena to analyze the AWS CloudTrail output, looking for events that deny an ec2: RunInstances action.
10. J. Deploy an IAM role to all accounts from a single trusted accoun
11. K. Build a pipeline withAWS CodePipeline with a stage in AWS Lambda to assume the IAM role, and list all EBS volumes in the accoun
12. L. Publish a report to Amazon S3.

Correct Answer: B
https://docs.aws.amazon.com/config/latest/developerguide/ec2-ebs-encryption-by-default.html

A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account.
The company has created an AWS Key Management Service (AWS KMS) key in the source account.
Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)

1. A. In the source account, copy the unencrypted AMI to an encrypted AM
2. B. Specify the KMS key in the copy action.
3. C. In the source account, copy the unencrypted AMI to an encrypted AM
4. D. Specify the default Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action.
5. E. In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.
6. F. In the source account, modify the key policy to give the target account permissions to create a gran
7. G. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role.
8. H. In the source account, share the unencrypted AMI with the target account.
9. I. In the source account, share the encrypted AMI with the target account.

Correct Answer: ADF
The Auto Scaling group service-linked role must have a specific grant in the source account in order to decrypt the encrypted AMI. This is because the service-linked role does not have permissions to assume the default IAM role in the source account. The following steps are required to meet the requirements:
✑ In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.
✑ In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.
✑ In the source account, share the encrypted AMI with the target account.
✑ In the target account, attach the KMS grant to the Auto Scaling group service- linked role.
The first three steps are the same as the steps that I described earlier. The fourth step is required to grant the Auto Scaling group service-linked role permissions to decrypt the AMI
in the target account.

A DevOps engineer needs to back up sensitive Amazon S3 objects that are stored within an S3 bucket with a private bucket policy using S3 cross-Region replication functionality. The objects need to be copied to a target bucket in a different AWS Region and account.
Which combination of actions should be performed to enable this replication? (Choose three.)

1. A. Create a replication IAM role in the source account
2. B. Create a replication I AM role in the target account.
3. C. Add statements to the source bucket policy allowing the replication IAM role to replicate objects.
4. D. Add statements to the target bucket policy allowing the replication IAM role to replicate objects.
5. E. Create a replication rule in the source bucket to enable the replication.
6. F. Create a replication rule in the target bucket to enable the replication.

Correct Answer: ADE
S3 cross-Region replication (CRR) automatically replicates data between buckets across different AWS Regions. To enable CRR, you need to add a replication configuration to your source bucket that specifies the destination bucket, the IAM role, and the encryption type (optional). You also need to grant permissions to the IAM role to perform replication actions on both the source and destination buckets. Additionally, you can choose the destination storage class and enable additional replication options such as S3 Replication Time Control (S3 RTC) or S3 Batch Replication. https://medium.com/cloud-
techies/s3-same-region-replication-srr-and-cross-region-replication-crr-34d446806bab https://aws.amazon.com/getting-started/hands-on/replicate-data-using-amazon-s3- replication/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html

A company is examining its disaster recovery capability and wants the ability to switch over its daily operations to a secondary AWS Region. The company uses AWS CodeCommit as a source control tool in the primary Region.
A DevOps engineer must provide the capability for the company to develop code in the secondary Region. If the company needs to use the secondary Region, developers can add an additional remote URL to their local Git configuration.
Which solution will meet these requirements?

1. A. Create a CodeCommit repository in the secondary Regio
2. B. Create an AWS CodeBuild project to perform a Git mirror operation of the primary Region's CodeCommit repository to the secondary Region's CodeCommit repositor
3. C. Create an AWS Lambda function that invokes the CodeBuild projec
4. D. Create an Amazon EventBridge rule that reacts to merge events in the primary Region's CodeCommit repositor
5. E. Configure the EventBridge rule to invoke the Lambda function.
6. F. Create an Amazon S3 bucket in the secondary Regio
7. G. Create an AWS Fargate task to perform a Git mirror operation of the primary Region's CodeCommit repository and copy the result to the S3 bucke
8. H. Create an AWS Lambda function that initiates the Fargate tas
9. I. Create an Amazon EventBridge rule that reacts to merge events in the CodeCommitrepositor
10. J. Configure the EventBridge rule to invoke the Lambda function.
11. K. Create an AWS CodeArtifact repository in the secondary Regio
12. L. Create an AWS CodePipeline pipeline that uses the primary Region's CodeCommit repository for the source actio
13. M. Create a Cross-Region stage in the pipeline that packages the CodeCommit repository contents and stores the contents in the CodeArtifact repository when a pull request is merged into the CodeCommit repository.
14. N. Create an AWS Cloud9 environment and a CodeCommit repository in the secondary Regio
15. O. Configure the primary Region's CodeCommit repository as a remote repository in the AWS Cloud9 environmen
16. P. Connect the secondary Region's CodeCommit repository to the AWS Cloud9 environment.

Correct Answer: A
The best solution to meet the disaster recovery capability and allow developers to switch over to a secondary AWS Region for code development is option A. This involves creating a CodeCommit repository in the secondary Region and setting up an AWS CodeBuild project to perform a Git mirror operation of the primary Region’s CodeCommit repository to the secondary Region’s repository. An AWS Lambda function is then created to invoke the CodeBuild project. Additionally, an Amazon EventBridge rule is configured to react to merge events in the primary Region’s CodeCommit repository and invoke the Lambda function12. This setup ensures that the secondary Region’s repository is always up-to-date with the primary repository, allowing for a seamless transition in case of a disaster recovery event1.
References:
✑ AWS CodeCommit User Guide on resilience and disaster recovery1.
✑ AWS Documentation on monitoring CodeCommit events in Amazon EventBridge and Amazon CloudWatch Events2.