DOP-C02 Free Practice Test

A company is using an AWS CodeBuild project to build and package an application. The packages are copied to a shared Amazon S3 bucket before being deployed across multiple AWS accounts.
The buildspec.yml file contains the following:

The DevOps engineer has noticed that anybody with an AWS account is able to download the artifacts. What steps should the DevOps engineer take to stop this?

1. A. Modify the post_build command to use --acl public-read and configure a bucket policy that grants read access to the relevant AWS accounts only.
2. B. Configure a default ACL for the S3 bucket that defines the set of authenticated users as the relevant AWS accounts only and grants read-only access.
3. C. Create an S3 bucket policy that grants read access to the relevant AWS accounts and denies read access to the principal “*”.
4. D. Modify the post_build command to remove --acl authenticated-read and configure a bucket policy that allows read access to the relevant AWS accounts only.

Correct Answer: D
When setting the flag authenticated-read in the command line, the owner gets FULL_CONTROL. The AuthenticatedUsers group (Anyone with an AWS account) gets READ access. Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

A company has an application that is using a MySQL-compatible Amazon Aurora Multi-AZ DB cluster as the database. A cross-Region read replica has been created for disaster recovery purposes. A DevOps engineer wants to automate the promotion of the replica so it becomes the primary database instance in the event of a failure.
Which solution will accomplish this?

1. A. Configure a latency-based Amazon Route 53 CNAME with health checks so it points to both the primary and replica endpoint
2. B. Subscribe an Amazon SNS topic to Amazon RDS failure notifications from AWS CloudTrail and use that topic to invoke an AWS Lambda function that will promote the replica instance as the primary.
3. C. Create an Aurora custom endpoint to point to the primary database instanc
4. D. Configure the application to use this endpoin
5. E. Configure AWS CloudTrail to run an AWS Lambda function to promote the replica instance and modify the custom endpoint to point to the newly promoted instance.
6. F. Create an AWS Lambda function to modify the application's AWS CloudFormation template to promote the replica, apply the template to update the stack, and point the application to the newly promoted instanc
7. G. Create an Amazon CloudWatch alarm to invoke this Lambda function after the failure event occurs.
8. H. Store the Aurora endpoint in AWS Systems Manager Parameter Stor
9. I. Create an Amazon EventBridge event that detects the database failure and runs an AWS Lambda function to promote the replicainstance and update the endpoint URL stored in AWS Systems Manager Parameter Stor
10. J. Code the application to reload the endpoint from Parameter Store if a database connection fails.

Correct Answer: D
EventBridge is needed to detect the database failure. Lambda is needed to promote the replica as it's in another Region (manual promotion, otherwise). Storing and updating the endpoint in Parameter store is important in updating the application. Look at High Availability section of Aurora FAQ: https://aws.amazon.com/rds/aurora/faqs/

A company uses AWS Storage Gateway in file gateway mode in front of an Amazon S3 bucket that is used by multiple resources. In the morning when business begins, users do not see the objects processed by a third party the previous evening. When a DevOps engineer looks directly at the S3 bucket, the data is there, but it is missing in Storage Gateway.
Which solution ensures that all the updated third-party files are available in the morning?

1. A. Configure a nightly Amazon EventBridge event to invoke an AWS Lambda function to run the RefreshCache command for Storage Gateway.
2. B. Instruct the third party to put data into the S3 bucket using AWS Transfer for SFTP.
3. C. Modify Storage Gateway to run in volume gateway mode.
4. D. Use S3 Same-Region Replication to replicate any changes made directly in the S3 bucket to Storage Gateway.

Correct Answer: A
https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_RefreshCache.html " It only updates the cached inventory to reflect changes in the inventory of the objects in the S3 bucket. This operation is only supported in the S3 File Gateway types."

A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. New EC2 instances are launched and terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance
profile. During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?

1. A. Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API call
2. B. Configure the rule to invoke an AWS Lambda function to attach the default instance profile to the EC2 instances.
3. C. Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration change
4. D. Configure an automatic remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
5. E. Configure an Amazon EventBridge rule that reacts to EC2 StartInstances API call
6. F. Configure the rule to invoke an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
7. G. Configure the iam-role-managed-policy-check AWS Config managed rule with a trigger type of configuration change
8. H. Configure an automatic remediation action that invokes an AWS Lambda function to attach the default instance profile to the EC2 instances.

Correct Answer: B
https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html

An application running on a set of Amazon EC2 instances in an Auto Scaling group requires a configuration file to operate. The instances are created and maintained with AWS CloudFormation. A DevOps engineer wants the instances to have the latest configuration file when launched and wants changes to the configuration file to be reflected on all the instances with a minimal delay when the CloudFormation template is updated. Company policy requires that application configuration files be maintained along with AWS infrastructure configuration files m source control.
Which solution will accomplish this?

1. A. In the CloudFormaiion template add an AWS Config rul
2. B. Place the configuration file content in the rule's InputParameters property and set the Scope property to the EC2 Auto Scaling grou
3. C. Add an AWS Systems Manager Resource Data Sync resource to the template to poll for updates to the configuration.
4. D. In the CloudFormation template add an EC2 launch template resourc
5. E. Place the configuration file content in the launch templat
6. F. Configure the cfn-mit script to run when the instance is launched and configure the cfn-hup script to poll for updates to the configuration.
7. G. In the CloudFormation template add an EC2 launch template resourc
8. H. Place the configuration file content in the launch templat
9. I. Add an AWS Systems Manager Resource Data Sync resource to the template to poll for updates to the configuration.
10. J. In the CloudFormation template add CloudFormation imt metadat
11. K. Place the configuration file content m the metadat
12. L. Configure the cfn-init script to run when the instance is launched and configure thecfn-hup script to poll for updates to the configuration.

Correct Answer: D
Use the AWS::CloudFormation::Init type to include metadata on an Amazon EC2 instance for the cfn-init helper script. If your template calls the cfn-init script, the script looks for resource metadata rooted in the AWS::CloudFormation::Init metadata key. Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html