Question 1

A company has an on-premises application that is written in Go. A DevOps engineer must move the application to AWS. The company's development team wants to enable blue/green deployments and perform A/B testing.

Which solution will meet these requirements?

Options :

A : Deploy the application on an Amazon EC2 instance, and create an AMI of the instance. Use the AMI to create an automatic scaling launch configuration that is used in an Auto Scaling group. Use Elastic Load Balancing to distribute traffic. When changes are made to the application, a new AMI will be created, which will initiate an EC2 instance refresh.

B : Use Amazon Lightsail to deploy the application. Store the application in a zipped format in an Amazon S3 bucket. Use this zipped version to deploy new versions of the application to Lightsail. Use Lightsail deployment options to manage the deployment.

C : Use AWS CodeArtifact to store the application code. Use AWS CodeDeploy to deploy the application to a fleet of Amazon EC2 instances. Use Elastic Load Balancing to distribute the traffic to the EC2 instances. When making changes to the application, upload a new version to CodeArtifact and create a new CodeDeploy deployment.

D : Use AWS Elastic Beanstalk to host the application. Store a zipped version of the application in Amazon S3. Use that location to deploy new versions of the application. Use Elastic Beanstalk to manage the deployment options

Answer: D

Question 2

A highly regulated company has a policy that DevOps engineers should not log in to their Amazon EC2 instances except in emergencies. If a DevOps engineer does log in, the security team must be notified within 15 minutes of the occurrence.

Which solution will meet these requirements?

Options :

A : Install the Amazon Inspector agent on each EC2 instance. Subscribe to Amazon EventBridge notifications. Invoke an AWS Lambda function to check if a message is about user logins. If it is, send a notification to the security team using Amazon SNS.

B : Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user logins. If a login is found, send a notification to the security team using Amazon SNS.

C : Set up AWS CloudTrail with Amazon CloudWatch Logs. Subscribe CloudWatch Logs to Amazon Kinesis. Attach AWS Lambda to Kinesis to parse and determine if a log contains a user login. If it does, send a notification to the security team using Amazon SNS.

D : Set up a script on each Amazon EC2 instance to push all logs to Amazon S3. Set up an S3 event to invoke an AWS Lambda function, which invokes an Amazon Athena query to run. The Athena query checks for logins and sends the output to the security team using Amazon SNS.

Answer: B

Question 3

A company's security policies require the use of security hardened AMIS in production environments. A DevOps engineer has used EC2 Image Builder to create a pipeline that builds the AMIs on a recurring schedule. The DevOps engineer needs to update the launch templates of the companys Auto Scaling groups. The Auto Scaling groups must use the newest AMIS during the launch of Amazon EC2 instances. Which solution will meet these requirements with the MOST operational efficiency?

Options :

A : Configure an Amazon EventBridge rule to receive new AMI events from Image Builder. Target an AWS Systems Manager Run Command document that updates the launch templates of the Auto Scaling groups with the newest AMI ID.

B : Configure an Amazon EventBridge rule to receive new AMI events from Image Builder. Target an AWS Lambda function that updates the launch templates of the Auto Scaling groups with the newest AMI ID.

C : Configure the launch template to use a value from AWS Systems Manager Parameter Store for the AMI ID. Configure the Image Builder pipeline to update the Parameter Store value with the newest AMI ID.

D : Configure the Image Builder distribution settings to update the launch templates with the newest AMI ID. Configure the Auto Scaling groups to use the newest version of the launch template.

Answer: C

Question 4

A cloud-based payments company is heavily using Amazon EC2 instances to host their applications in AWS Cloud. They would like to improve the security of their cloud resources by ensuring that all of their EC2 instances were launched from pre-approved AMIs only. The list of AMIs is set and managed by their IT Security team. Their Software Development team has an automated CI/CD process that launches several EC2 instances with new and untested AMIs for testing. The development process must not be affected by the new solution, which will be implemented by their Lead DevOps Engineer.

Which of the following can the Engineer implement to satisfy the requirement with the LEAST impact on the development process? (Select TWO.)

Options :

A : Use AWS Config with a Lambda function that periodically evaluates whether there are EC2 instances launched based on non-approved AMIs. Set up a remediation action using AWS Systems Manager Automation that will automatically terminate the EC2 instance. Publish a message to an Amazon SNS topic to inform the IT Security and Development teams about the occurrence.

B : Do regular scans using Amazon Inspector via a custom assessment template that determines if the Amazon EC2 instance is based upon a pre-approved AMI or not. Terminate the instances and inform the IT Security team by email about the security breach.

C : Integrate AWS Lambda and CloudWatch Events to schedule a daily process that will search through the list of running Amazon EC2 instances within your VPC. Configure the function to determine if any of these are based on unauthorized AMIs. Publish a new message to an Amazon SNS topic to inform the Security and Development teams that the issue occurred and then automatically terminate the EC2 instance.

D : Set up IAM policies to restrict the ability of users to launch Amazon EC2 instances based on a specific set of pre-approved AMIs which were tagged by the IT Security team.

E : Set up a centralized IT Systems Operations team that has the required policies, roles, and permissions. The team will manually process the security approval steps to ensure that Amazon EC2 instances are launched from pre-approved AMIs only.

Answer: A,C

Question 5

A multinational corporation has multiple AWS accounts that are consolidated using AWS Organizations. For security purposes, a new system should be configured that automatically detects suspicious activities in any of its accounts, such as SSH brute force attacks or compromised EC2 instances that serve malware. All of the gathered information must be centrally stored in its dedicated security account for audit purposes, and the events should be stored in an S3 bucket.

As a DevOps Engineer, which solution should you implement in order to meet this requirement?

Options :

A : Automatically detect SSH brute force or malware attacks by enabling Amazon GuardDuty in the security account only. Set up the security account as the GuardDuty Administrator for every member account. Create a new CloudWatch rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Streams. Launch a custom shell script in Lambda function to read data from the Kinesis Data Streams and push them to the S3 bucket.

B : Automatically detect SSH brute force or malware attacks by enabling Amazon Macie in every account. Set up the security account as the Macie Administrator for every member account of the organization. Create an Amazon CloudWatch Events rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Firehose, which should push the findings to an Amazon S3 bucket.

C : Automatically detect SSH brute force or malware attacks by enabling Amazon Macie in the security account only. Configure the security account as the Macie Administrator for every member account. Set up a new CloudWatch Events rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Streams. Launch a custom shell script in Lambda function to read data from the Kinesis Data Streams and push them to the S3 bucket.

D : Automatically detect SSH brute force or malware attacks by enabling Amazon GuardDuty in every account. Configure the security account as the GuardDuty Administrator for every member of the organization. Set up a new CloudWatch rule in the security account. Configure the rule to send all findings to Amazon Kinesis Data Firehose, which will push the findings to the S3 bucket.

Answer: D

Free DOP-C02 Mock Exam – Practice Online Confidently

Buying Options: