DOP-C02 Free Practice Test

A company manages a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Auto Scaling group across multiple Availability Zones. The application uses an Amazon RDS for MySQL DB instance to store the data. The company has configured Amazon Route 53 with an alias record that points to the ALB.
A new company guideline requires a geographically isolated disaster recovery (DR> site with an RTO of 4 hours and an RPO of 15 minutes.
Which DR strategy will meet these requirements with the LEAST change to the application stack?

1. A. Launch a replica environment of everything except Amazon RDS in a different Availability Zone Create an RDS read replica in the new Availability Zone: and configure the new stack to point to the local RDS DB instanc
2. B. Add the new stack to the Route 53 record set by using a hearth check to configure a failover routing policy.
3. C. Launch a replica environment of everything except Amazon RDS in a different AW
4. D. Region Create an RDS read replica in the new Region and configure the new stack to point to the local RDS DB instanc
5. E. Add the new stack to the Route 53 record set by using a health check to configure a latency routing policy.
6. F. Launch a replica environment of everything except Amazon RDS ma different AWS Regio
7. G. In the event of an outage copy and restore the latest RDS snapshot from the primar
8. H. Region to the DR Region Adjust the Route 53 record set to point to the ALB in the DR Region.
9. I. Launch a replica environment of everything except Amazon RDS in a different AWS Regio
10. J. Create an RDS read replica in the new Region and configure the new environment to point to the local RDS DB instanc
11. K. Add the new stack to the Route 53 record set by using a health check to configure a failover routing polic
12. L. In the event of an outage promote the read replica to primary.

Correct Answer: D

A developer is maintaining a fleet of 50 Amazon EC2 Linux servers. The servers are part of an Amazon EC2 Auto Scaling group, and also use Elastic Load Balancing for load balancing.
Occasionally, some application servers are being terminated after failing ELB HTTP health checks. The developer would like to perform a root cause analysis on the issue, but before being able to access application logs, the server is terminated.
How can log collection be automated?

1. A. Use Auto Scaling lifecycle hooks to put instances in a Pending:Wait stat
2. B. Create an Amazon CloudWatch alarm for EC2 Instance Terminate Successful and trigger an AWS Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
3. C. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait stat
4. D. Create an AWS Config rule for EC2 Instance-terminate Lifecycle Action and trigger a step function that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
5. E. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait stat
6. F. Create an Amazon CloudWatch subscription filter for EC2 Instance Terminate Successful and trigger a CloudWatch agent that invokes a script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.
7. G. Use Auto Scaling lifecycle hooks to put instances in a Terminating:Wait stat
8. H. Create an Amazon EventBridge rule for EC2 Instance-terminate Lifecycle Action and trigger an AWS Lambda function that invokes an SSM Run Command script to collect logs, push them to Amazon S3, and complete the lifecycle action once logs are collected.

Correct Answer: D
https://blog.fourninecloud.com/auto-scaling-lifecycle-hooks-to-export-server-logs-when-instance-terminating-58

An online retail company based in the United States plans to expand its operations to Europe and Asia in the next six months. Its product currently runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. All data is stored in an Amazon Aurora database instance.
When the product is deployed in multiple regions, the company wants a single product catalog across all regions, but for compliance purposes, its customer information and purchases must be kept in each region.
How should the company meet these requirements with the LEAST amount of application changes?

1. A. Use Amazon Redshift for the product catalog and Amazon DynamoDB tables for the customer information and purchases.
2. B. Use Amazon DynamoDB global tables for the product catalog and regional tables for the customer information and purchases.
3. C. Use Aurora with read replicas for the product catalog and additional local Aurora instances in each region for the customer information and purchases.
4. D. Use Aurora for the product catalog and Amazon DynamoDB global tables for the customer information and purchases.

Correct Answer: C

An Amazon EC2 instance is running in a VPC and needs to download an object from a restricted Amazon S3 bucket. When the DevOps engineer tries to download the object, an AccessDenied error is received,
What are the possible causes tor this error? (Select TWO,)

1. A. The 53 bucket default encryption is enabled.
2. B. There is an error in the S3 bucket policy.
3. C. The object has been moved to S3 Glacier.
4. D. There is an error in the IAM role configuration.
5. E. S3 Versioning is enabled.

Correct Answer: BD
These are the possible causes for the AccessDenied error because they affect the permissions to access the S3 object from the EC2 instance. An S3 bucket policy is a resource-based policy that defines who can access the bucket and its objects, and what actions they can perform. An IAM role is an identity that can be assumed by an EC2 instance to grant it permissions to access AWS services and resources. If there is an error in the S3 bucket policy or the IAM role configuration, such as a missing or incorrect statement, condition, or principal, then the EC2 instance may not have the necessary permissions to download the object from the S3 bucket .
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

A global company manages multiple AWS accounts by using AWS Control Tower. The company hosts internal applications and public applications.
Each application team in the company has its own AWS account for application hosting. The accounts are consolidated in an organization in AWS Organizations. One of the AWS Control Tower member accounts serves as a centralized DevOps account with CI/CD pipelines that application teams use to deploy applications to their respective target AWS accounts. An 1AM role for deployment exists in the centralized DevOps account.
An application team is attempting to deploy its application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster in an application AWS account. An 1AM role for deployment exists in the application AWS account. The deployment is through an AWS CodeBuild project that is set up in the centralized DevOps account. The CodeBuild project uses an 1AM service role for CodeBuild. The deployment is failing with an Unauthorized error during attempts to connect to the cross-account EKS cluster from CodeBuild.
Which solution will resolve this error?

1. A. Configure the application account's deployment 1AM role to have a trust relationship with the centralized DevOps accoun
2. B. Configure the trust relationship to allow the sts:AssumeRole actio
3. C. Configure the application account's deployment 1AM role to have the required access to the EKS cluste
4. D. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.
5. E. Configure the centralized DevOps account's deployment I AM role to have a trust relationship with the application accoun
6. F. Configure the trust relationship to allow the sts:AssumeRole actio
7. G. Configure the centralized DevOps account's deployment 1AM role to allow the required access to CodeBuild.
8. H. Configure the centralized DevOps account's deployment 1AM role to have a trust relationship with the application accoun
9. I. Configure the trust relationship to allow the sts:AssumeRoleWithSAML actio
10. J. Configure the centralized DevOps account's deployment 1AM role to allow the required access to CodeBuild.
11. K. Configure the application account's deployment 1AM role to have a trust relationship with the AWS Control Tower management accoun
12. L. Configure the trust relationship to allow the sts:AssumeRole actio
13. M. Configure the application account's deployment 1AM role to have the required access to the EKS cluste
14. N. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.

Correct Answer: A
In the source AWS account, the IAM role used by the CI/CD pipeline should have permissions to access the source code repository, build artifacts, and any other resources required for the build process. In the destination AWS accounts, the IAM role used for deployment should have permissions to access the AWS resources required for deploying the application, such as EC2 instances, RDS databases, S3 buckets, etc. The exact permissions required will depend on the specific resources being used by the application. the IAM role used for deployment in the destination accounts should also have permissions to assume the IAM role for deployment in the centralized DevOps account. This is typically done using an IAM role trust policy that allows the destination account to assume the DevOps account role.