DOP-C02 Free Practice Test

A DevOps engineer has developed an AWS Lambda function The Lambda function starts an AWS CloudFormation drift detection operation on all supported resources for a specific CloudFormation stack The Lambda function then exits Its invocation The DevOps engineer has created an Amazon EventBrdge scheduled rule that Invokes the Lambda function every hour. An Amazon Simple Notification Service (Amazon SNS) topic already exists In the AWS account. The DevOps engineer has subscribed to the SNS topic to receive notifications
The DevOps engineer needs to receive a notification as soon as possible when drift is detected in this specific stack configuration.
Which solution Will meet these requirements?

1. A. Configure the existing EventBridge rule to also target the SNS topic Configure an SNS subscription filter policy to match the Cloud Formation stac
2. B. Attach the subscription filter policy to the SNS tomc
3. C. Create a second Lambda function to query the CloudFormation API for the drift detection results for the stack Configure the second Lambda function to publish a message to the SNS topic If drift ts detected Adjust the existing EventBridge rule to also target the second Lambda function
4. D. Configure Amazon GuardDuty in the account with drift detection for all CloudFormation stack
5. E. Create a second EventBndge rule that reacts to the GuardDuty drift detection event finding for the specific CloudFormation stac
6. F. Configure the SNS topic as a target of the second EventBridge rule.
7. G. Configure AWS Config in the accoun
8. H. Use the cloudformation-stack-drift-detection- check managed rul
9. I. Create a second EventBndge rule that reacts to a compliance change event for the CloudFormaUon stac
10. J. Configure the SNS topc as a target of the second EventBridge rule.

Correct Answer: D
A comprehensive and detailed explanation is:
✑ Option A is incorrect because EventBridge rules cannot filter events based on the message body or attributes of the target service. Therefore, configuring an SNS subscription filter policy to match the CloudFormation stack will not work. The SNS topic will receive all events from the EventBridge rule, regardless of the stack name or drift status.
✑ Option B is incorrect because it introduces unnecessary complexity and cost.
Creating a second Lambda function to query the CloudFormation API for the drift detection results is redundant, since CloudFormation already publishes drift detection events to EventBridge. Moreover, invoking two Lambda functions every hour will incur more charges than invoking one.
✑ Option C is incorrect because GuardDuty does not provide drift detection for CloudFormation stacks. GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It does not monitor or report on configuration changes or drifts in CloudFormation stacks.
✑ Option D is correct because it leverages AWS Config and its managed rule for drift detection. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It can detect configuration changes and drifts in CloudFormation stacks using the cloudformation-stack-drift-detection- check managed rule. This rule triggers an AWS Config event when a stack drifts from its expected template configuration. By creating a second EventBridge rule that reacts to this event for the specific stack, the DevOps engineer can configure the SNS topic as a target and receive a notification as soon as possible when drift is detected.
References:
✑ AWS Config
✑ Amazon SNS subscription filter policies
✑ Amazon EventBridge rules

A company is using an AWS CodeBuild project to build and package an application. The packages are copied to a shared Amazon S3 bucket before being deployed across multiple AWS accounts.
The buildspec.yml file contains the following:

The DevOps engineer has noticed that anybody with an AWS account is able to download the artifacts.
What steps should the DevOps engineer take to stop this?

1. A. Modify the post_build command to use --acl public-read and configure a bucket policy that grants read access to the relevant AWS accounts only.
2. B. Configure a default ACL for the S3 bucket that defines the set of authenticated users as the relevant AWS accounts only and grants read-only access.
3. C. Create an S3 bucket policy that grants read access to the relevant AWS accounts and denies read access to the principal “*”.
4. D. Modify the post_build command to remove --acl authenticated-read and configure a bucket policy that allows read access to the relevant AWS accounts only.

Correct Answer: D
When setting the flag authenticated-read in the command line, the owner gets FULL_CONTROL. The AuthenticatedUsers group (Anyone with an AWS account) gets READ access. Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

A company deploys a web application on Amazon EC2 instances that are behind an
Application Load Balancer (ALB). The company stores the application code in an AWS CodeCommit repository. When code is merged to the main branch, an AWS Lambda function invokes an AWS CodeBuild project. The CodeBuild project packages the code, stores the packaged code in AWS CodeArtifact, and invokes AWS Systems Manager Run Command to deploy the packaged code to the EC2 instances.
Previous deployments have resulted in defects, EC2 instances that are not running the latest version of the packaged code, and inconsistencies between instances.
Which combination of actions should a DevOps engineer take to implement a more reliable deployment solution? (Select TWO.)

1. A. Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as a source provide
2. B. Configure pipeline stages that run the CodeBuild project in parallel to build and test the applicatio
3. C. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action.
4. D. Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as a source provide
5. E. Create separate pipeline stages that run a CodeBuild project to build and then test the applicatio
6. F. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action.
7. G. Create an AWS CodeDeploy application and a deployment group to deploy the packaged code to the EC2 instance
8. H. Configure the ALB for the deployment group.
9. I. Create individual Lambda functions that use AWS CodeDeploy instead of Systems Manager to run build, test, and deploy actions.
10. J. Create an Amazon S3 bucke
11. K. Modify the CodeBuild project to store the packages in the S3 bucket instead of in CodeArtifac
12. L. Use deploy actions in CodeDeploy to deploy the artifact to the EC2 instances.

Correct Answer: AC
To implement a more reliable deployment solution, a DevOps engineer should take the following actions:
✑ Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as a source provider. Configure pipeline stages that run the CodeBuild project in parallel to build and test the application. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action. This action will improve the deployment reliability by automating the entire process from code commit to deployment, reducing human errors and inconsistencies. By running the build and test stages in parallel, the pipeline can also speed up the delivery time and provide faster feedback. By using CodeDeploy as the deployment action, the pipeline can leverage the features of CodeDeploy, such as traffic shifting, health checks, rollback, and deployment configuration123
✑ Create an AWS CodeDeploy application and a deployment group to deploy the packaged code to the EC2 instances. Configure the ALB for the deployment group. This action will improve the deployment reliability by using CodeDeploy to orchestrate the deployment across multiple EC2 instances behind an ALB. CodeDeploy can perform blue/green deployments or in-place deployments with traffic shifting, which can minimize downtime and reduce risks. CodeDeploy can also monitor the health of the instances during and after the deployment, and automatically roll back if any issues are detected. By configuring the ALB for the deployment group, CodeDeploy can register and deregister instances from the load balancer as needed, ensuring that only healthy instances receive traffic45
The other options are not correct because they do not improve the deployment reliability or follow best practices. Creating separate pipeline stages that run a CodeBuild project to build and then test the application is not a good option because it will increase the pipeline execution time and delay the feedback loop. Creating individual Lambda functions that use CodeDeploy instead of Systems Manager to run build, test, and deploy actions is not a valid option because it will add unnecessary complexity and cost to the solution. Lambda functions are not designed for long-running tasks such as building or deploying applications. Creating an Amazon S3 bucket and modifying the CodeBuild project to store the packages in the S3 bucket instead of in CodeArtifact is not a necessary option because it will not affect the deployment reliability. CodeArtifact is a secure, scalable, and cost- effective package management service that can store and share software packages for application development67
References:
✑ 1: What is AWS CodePipeline? - AWS CodePipeline
✑ 2: Create a pipeline in AWS CodePipeline - AWS CodePipeline
✑ 3: Deploy an application with AWS CodeDeploy - AWS CodePipeline
✑ 4: What is AWS CodeDeploy? - AWS CodeDeploy
✑ 5: Configure an Application Load Balancer for your blue/green deployments - AWS CodeDeploy
✑ 6: What is AWS Lambda? - AWS Lambda
✑ 7: What is AWS CodeArtifact? - AWS CodeArtifact

A company has its AWS accounts in an organization in AWS Organizations. AWS Config is manually configured in each AWS account. The company needs to implement a solution to centrally configure AWS Config for all accounts in the organization The solution also must record resource changes to a central account.
Which combination of actions should a DevOps engineer perform to meet these requirements? (Choose two.)

1. A. Configure a delegated administrator account for AWS Confi
2. B. Enable trusted access for AWS Config in the organization.
3. C. Configure a delegated administrator account for AWS Confi
4. D. Create a service-linked role for AWS Config in the organization’s management account.
5. E. Create an AWS CloudFormation template to create an AWS Config aggregato
6. F. Configure a CloudFormation stack set to deploy the template to all accounts in the organization.
7. G. Create an AWS Config organization aggregator in the organization's management accoun
8. H. Configure data collection from all AWS accounts in the organization and from all AWS Regions.
9. I. Create an AWS Config organization aggregator in the delegated administrator accoun
10. J. Configure data collection from all AWS accounts in the organization and from all AWS Regions.

Correct Answer: AE
https://aws.amazon.com/blogs/mt/org-aggregator-delegated-admin/ https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate- config.html

A company has an application that is using a MySQL-compatible Amazon Aurora Multi-AZ DB cluster as the database. A cross-Region read replica has been created for disaster recovery purposes. A DevOps engineer wants to automate the promotion of the replica so it becomes the primary database instance in the event of a failure.
Which solution will accomplish this?

1. A. Configure a latency-based Amazon Route 53 CNAME with health checks so it points to both the primary and replica endpoint
2. B. Subscribe an Amazon SNS topic to Amazon RDS failure notifications from AWS CloudTrail and use that topic to invoke an AWS Lambda function that will promote the replica instance as the primary.
3. C. Create an Aurora custom endpoint to point to the primary database instanc
4. D. Configure the application to use this endpoin
5. E. Configure AWS CloudTrail to run an AWS Lambda function to promote the replica instance and modify the custom endpoint to point to the newly promoted instance.
6. F. Create an AWS Lambda function to modify the application's AWS CloudFormation template to promote the replica, apply the template to update the stack, and point the application to the newly promoted instanc
7. G. Create an Amazon CloudWatch alarm to invoke this Lambda function after the failure event occurs.
8. H. Store the Aurora endpoint in AWS Systems Manager Parameter Stor
9. I. Create an Amazon EventBridge event that detects the database failure and runs an AWS Lambda function to promote the replica instance and update the endpoint URL stored in AWS Systems Manager Parameter Stor
10. J. Code the application to reload the endpoint from Parameter Store if a database connection fails.

Correct Answer: D
EventBridge is needed to detect the database failure. Lambda is needed to promote the replica as it's in another Region (manual promotion, otherwise). Storing and updating the endpoint in Parameter store is important in updating the application. Look at High Availability section of Aurora FAQ: https://aws.amazon.com/rds/aurora/faqs/