DOP-C02 Free Practice Test

A rapidly growing company wants to scale for developer demand for AWS development environments. Development environments are created manually in the AWS Management Console. The networking team uses AWS CloudFormation to manage the networking infrastructure, exporting stack output values for the Amazon VPC and all subnets. The development environments have common standards, such as Application Load Balancers, Amazon EC2 Auto Scaling groups, security groups, and Amazon DynamoDB tables.
To keep up with demand, the DevOps engineer wants to automate the creation of development environments. Because the infrastructure required to support the application is expected to grow, there must be a way to easily update the deployed infrastructure. CloudFormation will be used to create a template for the development environments.
Which approach will meet these requirements and quickly provide consistent AWS environments for developers?

1. A. Use Fn::ImportValue intrinsic functions in the Resources section of the template to retrieve Virtual Private Cloud (VPC) and subnet value
2. B. Use CloudFormation StackSets for the development environments, using the Count input parameter to indicate the number of environments neede
3. C. Use the UpdateStackSet command to update existing development environments.
4. D. Use nested stacks to define common infrastructure component
5. E. To access the exported values, use TemplateURL to reference the networking team’s templat
6. F. To retrieve Virtual Private Cloud (VPC) and subnet values, use Fn::ImportValue intrinsic functions in the Parameters section of the root templat
7. G. Use the CreateChangeSet and ExecuteChangeSet commands to update existing development environments.
8. H. Use nested stacks to define common infrastructure component
9. I. Use Fn::ImportValue intrinsic functions with the resources of the nested stack to retrieve Virtual Private Cloud (VPC) and subnet value
10. J. Use the CreateChangeSet and ExecuteChangeSet commands to update existing development environments.
11. K. Use Fn::ImportValue intrinsic functions in the Parameters section of the root template to retrieve Virtual Private Cloud (VPC) and subnet value
12. L. Define the development resources in the order they need to be created in the CloudFormation nested stack
13. M. Use the CreateChangeSe
14. N. and ExecuteChangeSet commands to update existing development environments.

Correct Answer: C
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function- reference-importvalue.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html CF of network exports the VPC, subnet or needed information CF of application imports the above information to its stack and UpdateChangeSet/ ExecuteChangeSet

A company needs to implement failover for its application. The application includes an Amazon CloudFront distribution and a public Application Load Balancer (ALB) in an AWS Region. The company has configured the ALB as the default origin for the distribution.
After some recent application outages, the company wants a zero-second RTO. The company deploys the application to a secondary Region in a warm standby configuration. A DevOps engineer needs to automate the failover of the application to the secondary Region so that HTTP GET requests meet the desired RTO.
Which solution will meet these requirements?

1. A. Create a second CloudFront distribution that has the secondary ALB as the default origi
2. B. Create Amazon Route 53 alias records that have a failover policy and Evaluate Target Health set to Yes for both CloudFront distribution
3. C. Update the application to use the new record set.
4. D. Create a new origin on the distribution for the secondary AL
5. E. Create a new origin grou
6. F. Set the original ALB as the primary origi
7. G. Configure the origin group to fail over for HTTP 5xx status code
8. H. Update the default behavior to use the origin group.
9. I. Create Amazon Route 53 alias records that have a failover policy and Evaluate TargetHealth set to Yes for both ALB
10. J. Set the TTL of both records to 0. Update the distribution's origin to use the new record set.
11. K. Create a CloudFront function that detects HTTP 5xx status code
12. L. Configure the function to return a 307 Temporary Redirect error response to the secondary ALB if the function detects 5xx status code
13. M. Update the distribution's default behavior to send origin responses to the function.

Correct Answer: B
The best solution to implement failover for the application is to use CloudFront origin groups. Origin groups allow CloudFront to automatically switch to a secondary origin when the primary origin is unavailable or returns specific HTTP status codes that indicate a failure1. This way, CloudFront can serve the requests from the secondary ALB in the secondary Region without any delay or redirection. To set up origin groups, the DevOps engineer needs to create a new origin on the distribution for the secondary ALB, create a new origin group with the original ALB as the primary origin and the secondary ALB as the secondary origin, and configure the origin group to fail over for HTTP 5xx status
codes. Then, the DevOps engineer needs to update the default behavior to use the origin group instead of the single origin2.
The other options are not as effective or efficient as the solution in option B. Option A is not suitable because creating a second CloudFront distribution will increase the complexity and cost of the application. Moreover, using Route 53 alias records with a failover policy will introduce some delay in detecting and switching to the secondary CloudFront distribution, which may not meet the zero-second RTO requirement. Option C is not feasible because CloudFront does not support using Route 53 alias records as origins3. Option D is not advisable because using a CloudFront function to redirect the requests to the secondary ALB will add an extra round-trip and latency to the failover process, which may also not meet the zero-second RTO requirement.
References:
✑ 1: Optimizing high availability with CloudFront origin failover - Amazon CloudFront
✑ 2: Creating an origin group - Amazon CloudFront
✑ 3: Values That You Specify When You Create or Update a Web Distribution - Amazon CloudFront

A company is performing vulnerability scanning for all Amazon EC2 instances across many accounts. The accounts are in an organization in AWS Organizations. Each account's VPCs are attached to a shared transit gateway. The VPCs send traffic to the internet through a central egress VPC. The company has enabled Amazon Inspector in a delegated administrator account and has enabled scanning for all member accounts.
A DevOps engineer discovers that some EC2 instances are listed in the "not scanning" tab in Amazon
Inspector.
Which combination of actions should the DevOps engineer take to resolve this issue? (Choose three.)

1. A. Verify that AWS Systems Manager Agent is installed and is running on the EC2 instances that Amazon Inspector is not scanning.
2. B. Associate the target EC2 instances with security groups that allow outbound communication on port 443 to the AWS Systems Manager service endpoint.
3. C. Grant inspector:StartAssessmentRun permissions to the IAM role that the DevOps engineer is using.
4. D. Configure EC2 Instance Connect for the EC2 instances that Amazon Inspector is not scanning.
5. E. Associate the target EC2 instances with instance profiles that grant permissions to communicate with AWS Systems Manager.
6. F. Create a managed-instance activatio
7. G. Use the Activation Code and the Activation ID to register the EC2 instances.

Correct Answer: ABE
https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html

To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?

1. A. Launch the instances in a public subnet with Elastic IP addresses attache
2. B. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
3. C. Set up a NAT gatewa
4. D. Deploy the EC2 instances to a private subne
5. E. Update the private subnet's routetable to use the NAT gateway as the default route.
6. F. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
7. G. Create a security group for the application instances and allow only outbound traffic to the artifact repositor
8. H. Remove the security group rule once the install is complete.

Correct Answer: C
EC2 instances running in private subnets of a VPC can now have controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. You can use an S3 bucket policy to indicate which VPCs and which VPC Endpoints have access to your S3 buckets 1- https://aws.amazon.com/pt/blogs/aws/new-vpc-endpoint-for-amazon-s3/

A company has an application that runs on a fleet of Amazon EC2 instances. The application requires frequent restarts. The application logs contain error messages when a restart is required. The application logs are published to a log group in Amazon CloudWatch Logs.
An Amazon CloudWatch alarm notifies an application engineer through an Amazon Simple Notification Service (Amazon SNS) topic when the logs contain a large number of restart-related error messages. The application engineer manually restarts the application on the instances after the application engineer receives a notification from the SNS topic.
A DevOps engineer needs to implement a solution to automate the application restart on the instances without restarting the instances.
Which solution will meet these requirements in the MOST operationally efficient manner?

1. A. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
2. B. Configure the SNS topic to invoke the runbook.
3. C. Create an AWS Lambda function that restarts the application on the instance
4. D. Configure the Lambda function as an event destination of the SNS topic.
5. E. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
6. F. Create an AWS Lambda function to invoke the runboo
7. G. Configure the Lambda function as an event destination of the SNS topic.
8. H. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
9. I. Configure an Amazon EventBridge rule that reacts when the CloudWatch alarm enters ALARM stat
10. J. Specify the runbook as a target of the rule.

Correct Answer: D
This solution meets the requirements in the most operationally efficient manner by automating the application restart process on the instances without restarting them. When the CloudWatch alarm enters the ALARM state, the EventBridge rule is triggered, which in turn invokes the Systems Manager Automation runbook that contains the script to restart the application on the instances.