AWS Certified DevOps Engineer - Professional DOP-C02
An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower
landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP)
and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and
manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)
Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to
scope the permissions. Most Voted
Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center. Most Voted
Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs. Most Voted
An ecommerce company is receiving reports that its order history page is experiencing delays in reflecting the processing status of orders. The
order processing system consists of an AWS Lambda function that uses reserved concurrency. The Lambda function processes order messages
from an Amazon Simple Queue Service (Amazon SQS) queue and inserts processed orders into an Amazon DynamoDB table. The DynamoDB table
has auto scaling enabled for read and write capacity.
Which actions should a DevOps engineer take to resolve this delay? (Choose two.)
Check the ApproximateAgeOfOldestMessage metric for the SQS queue. Increase the Lambda function concurrency limit. Most Voted
Check the ApproximateAgeOfOldestMessage metnc for the SQS queue Configure a redrive policy on the SQS queue.
Check the NumberOfMessagesSent metric for the SQS queue. Increase the SQS queue visibility timeout.
Check the WriteThrottleEvents metric for the DynamoDB table. Increase the maximum write capacity units (WCUs) for the table's scaling
policy. Most Voted
Check the Throttles metric for the Lambda function. Increase the Lambda function timeout.
A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region. New EC2 instances are launched and
terminated each hour in the account. The account also includes existing EC2 instances that have been running for longer than a week.
The company's security policy requires all running EC2 instances to use an EC2 instance profile. If an EC2 instance does not have an instance
profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.
A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile. During the review, the DevOps
engineer also observes that new EC2 instances are being launched without an instance profile.
Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?
Configure an Amazon EventBridge rule that reacts to EC2 RunInstances API calls. Configure the rule to invoke an AWS Lambda function to
attach the default instance profile to the EC2 instances.
Configure the ec2-instance-profile-attached AWS Config managed rule with a trigger type of configuration changes. Configure an automatic
remediation action that invokes an AWS Systems Manager Automation runbook to attach the default instance profile to the EC2 instances.
Configure an Amazon EventBridge rule that reacts to EC2 StartInstances API calls. Configure the rule to invoke an AWS Systems Manager
Automation runbook to attach the default instance profile to the EC2 instances
Configure the iam-role-managed-policy-check AWS Config managed rule with a trigger type of configuration changes. Configure an
automatic remediation action that invokes an AWS Lambda function to attach the default instance profile to the EC2 instances.
A DevOps engineer is building a continuous deployment pipeline for a serverless application that uses AWS Lambda functions. The company
wants to reduce the customer impact of an unsuccessful deployment. The company also wants to monitor for issues.
Which deploy stage configuration will meet these requirements?
Use an AWS Serverless Application Model (AWS SAM) template to define the serverless application. Use AWS CodeDeploy to deploy the
Lambda functions with the Canary10Percent15Minutes Deployment Preference Type. Use Amazon CloudWatch alarms to monitor the health
of the functions. Most Voted
Use AWS CloudFormation to publish a new stack update, and include Amazon CloudWatch alarms on all resources. Set up an AWS
CodePipeline approval action for a developer to verify and approve the AWS CloudFormation change set.
Use AWS CloudFormation to publish a new version on every stack update, and include Amazon CloudWatch alarms on all resources. Use
the RoutingConfig property of the AWS::Lambda::Alias resource to update the traffic routing during the stack update.
Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions. Publish a new version of the functions, and include
Amazon CloudWatch alarms. Update the production alias to point to the new version. Configure rollbacks to occur when an alarm is in the
ALARM state.
To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script
obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now
requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not
seem to be installed.
Which of the following should successfully install the application while complying with the new rule?
Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to
disassociate the Elastic IP addresses afterwards.
Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the
default route.
Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2
instances so they can read the application artifacts from the S3 bucket. Most Voted
Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group
rule once the install is complete.
Unlock All Questions
You are viewing the free preview. Purchase a plan to access all questions, answers, and detailed explanations.
