DOP-C02 Free Practice Test

A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda function uses. When the Lambda function is invoked, the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key.
A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function's execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Update the default KMS key for Secrets Manager to allow only the Lambda function's execution role to decrypt.
2. B. Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decryp
3. C. Update Secrets Manager to use the new customer managed key.
4. D. Create a KMS customer managed key that trusts Secrets Manager and allows the account's :root principal to decryp
5. E. Update Secrets Manager to use the new customer managed key.
6. F. Ensure that the Lambda function's execution role has the KMS permissions scoped on the resource level.Configure the permissions so that the KMS key can encrypt the Secrets Manager secret.
7. G. Remove all KMS permissions from the Lambda function's execution role.

Correct Answer: AD

A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has configured AWS Config for the organization. During an audit, the company finds some externally facing ALBs that are not associated with AWS WAF web ACLs.
Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.)

1. A. Delegate AWS Firewall Manager to a security account.
2. B. Delegate Amazon GuardDuty to a security account.
3. C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
4. D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
5. E. Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

Correct Answer: AC
If instead you want to automatically apply the policy to existing in-scope resources, choose Auto remediate any noncompliant resources. This option creates a web ACL in each applicable account within the AWS organization and associates the web ACL with the resources in the accounts. When you choose Auto remediate any noncompliant resources, you can also choose to remove existing web ACL associations from in-scope resources, for the web ACLs that aren't managed by another active Firewall Manager policy. If you choose this option, Firewall Manager first associates the policy's web ACL with the resources, and then removes the prior associations. If a resource has an association with another web ACL that's managed by a different active Firewall Manager policy, this choice doesn't affect that association.

A DevOps engineer is deploying a new version of a company's application in an AWS CodeDeploy deployment group associated with its Amazon EC2 instances. After some time, the deployment fails. The engineer realizes that all the events associated with the specific deployment ID are in a Skipped status and code was not deployed in the instances associated with the deployment group.
What are valid reasons for this failure? (Select TWO.).

1. A. The networking configuration does not allow the EC2 instances to reach the internet via a NAT gateway or internet gateway and the CodeDeploy endpoint cannot be reached.
2. B. The IAM user who triggered the application deployment does not have permission to interact with the CodeDeploy endpoint.
3. C. The target EC2 instances were not properly registered with the CodeDeploy endpoint.
4. D. An instance profile with proper permissions was not attached to the target EC2 instances.
5. E. The appspe
6. F. yml file was not included in the application revision.

Correct Answer: AD
https://docs.aws.amazon.com/codedeploy/latest/userguide/troubleshooting-deployments.html#troubleshooting-s

A company manages multiple AWS accounts in AWS Organizations. The company's security policy states that AWS account root user credentials for member accounts must not be used. The company monitors access to the root user credentials.
A recent alert shows that the root user in a member account launched an Amazon EC2 instance. A DevOps engineer must create an SCP at the organization's root level that will prevent the root user in member accounts from making any AWS service API calls.
Which SCP will meet these requirements?
A)

B)

C)

D)

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: D

A company wants to set up a continuous delivery pipeline. The company stores application code in a private GitHub repository. The company needs to deploy the application components to Amazon Elastic Container Service (Amazon ECS). Amazon EC2, and AWS Lambda. The pipeline must support manual approval actions.
Which solution will meet these requirements?

1. A. Use AWS CodePipeline with Amazon EC
2. B. Amazon EC2, and Lambda as deploy providers.
3. C. Use AWS CodePipeline with AWS CodeDeploy as the deploy provider.
4. D. Use AWS CodePipeline with AWS Elastic Beanstalk as the deploy provider.
5. E. Use AWS CodeDeploy with GitHub integration to deploy the application.

Correct Answer: B
https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-steps.html