Question 1

A highly regulated company has a policy that DevOps engineers should not log in to their Amazon EC2 instances except in emergencies. If a DevOps engineer does log in, the security team must be notified within 15 minutes of the occurrence.

Which solution will meet these requirements?

Options :

A : Install the Amazon Inspector agent on each EC2 instance. Subscribe to Amazon EventBridge notifications. Invoke an AWS Lambda function to check if a message is about user logins. If it is, send a notification to the security team using Amazon SNS.

B : Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user logins. If a login is found, send a notification to the security team using Amazon SNS.

C : Set up AWS CloudTrail with Amazon CloudWatch Logs. Subscribe CloudWatch Logs to Amazon Kinesis. Attach AWS Lambda to Kinesis to parse and determine if a log contains a user login. If it does, send a notification to the security team using Amazon SNS.

D : Set up a script on each Amazon EC2 instance to push all logs to Amazon S3. Set up an S3 event to invoke an AWS Lambda function, which invokes an Amazon Athena query to run. The Athena query checks for logins and sends the output to the security team using Amazon SNS.

Answer: B

Question 2

company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.

The DevOps team needs to allow only a specific management IAM role to manage the IAM roles and policies of any AWS accounts in only the production OU.

Which combination of steps will meet these requirements? (Choose two.)

Options :

A : Create an SCP that denies full access with a condition to exclude the management IAM role for the organization root.

B : Ensure that the FullAWSAccess SCP is applied at the organization root.

C : Create an SCP that allows IAM related actions. Attach the SCP to the development OU.

D : Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the workload OU.

E : Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the production OU.

Answer: B,E

Question 3

A company uses AWS CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the main branch when the changes are ready for production.

The developers should not be able to push changes directly to the main branch. The company applied the AWSCodeCommitPowerUser managed policy to the developers’ IAM role, and now these developers can push changes to the main branch directly on every repository in the AWS account.

What should the company do to restrict the developers’ ability to push changes to the main branch directly?

Options :

A : Create an additional policy to include a Deny rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the main branch.

B : Remove the IAM policy, and add an AWSCodeCommitReadOnly managed policy. Add an Allow rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

C : Modify the IAM policy. Include a Deny rule for the GitPush and PutFile actions for the specific repositories in the policy statement with a condition that references the main branch.

D : Create an additional policy to include an Allow rule for the GitPush and PutFile actions. Include a restriction for the specific repositories in the policy statement with a condition that references the feature branches.

Answer: A

Question 4

A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml file for an AWS CodeBuild project and provide recommendations. The buildspec.yaml file is configured as follows:

What changes should be recommended to comply with AWS security best practices? (Choose three.)

Options :

A : Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users.

B : Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable.

C : Store the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables.

D : Move the environment variables to the ‘db-deploy-bucket’ Amazon S3 bucket, add a prebuild stage to download, then export the variables.

E : Use AWS Systems Manager run command versus sec and ssh commands directly to the instance.

F : Scramble the environment variables using XOR followed by Base64, add a section to install, and then run XOR and Base64 to the build phase.

Answer: B,D,E

Question 5

You are developing a mobile news homepage that curates several news sources to a single page. The app is mainly composed of several Lambda functions configured as a deployment group on AWS CodeDeploy. For each new app version, you need to test all APIs before fully deploying it to production. The APIs are using a set of AWS Lambda validation scripts. You want the ability to check the APIs during deployments and be notified for any API errors as well as automatic rollback if the validation fails.

Which combination of the options below can help you implement a solution for this scenario? (Select THREE)

Options :

A : Define your Lambda validation scripts on the AppSpec lifecycle hook during deployment to run the validation using test traffic and trigger a rollback if checks fail.

B : Have Lambda send results to AWS CloudWatch Alarms directly and trigger a rollback when 5xx reply errors are received during deployment.

C : Add a step on AWS CodeDeploy to trigger your Lambda validation scripts after deployment and invoke them after deployment to validate your new app version.

D : Configure your Lambda validation scripts to run during deployment and configure a CloudWatch Alarm that will trigger a rollback when the function validation fails.

E : Have CodeDeploy run the AWS Lambda validations after the deployment so you can test with production traffic. When errors are found, have another trigger to rollback the deployment.

F : Associate an AWS CloudWatch Alarm to your deployment group that can send a notification to an AWS SNS topic when threshold for 5xx is reached on CloudWatch.

Answer: A,D

Free DOP-C02 Mock Exam – Practice Online Confidently

Buying Options: