AWS Certified DevOps Engineer Professional (DOP-C02)

The AWS Certified DevOps Engineer Professional (DOP-C02) were last updated on today.

Viewing page 6 out of 136 pages.
Viewing questions 26-30 out of 680 questions

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
- Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #26 Topic 1

A DevOps engineer is creating an AWS CloudFormation template to deploy a web service. The web service will run on Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). The DevOps engineer must ensure that the service can accept requests from clients that have IPv6 addresses. What should the DevOps engineer do with the CloudFormation template so that IPv6 clients can access the web service?

A Add an IPv6 CIDR block to the VPC and the private subnet for the EC2 instances. Create route table entries for the IPv6 network, use EC2 instance types that support IPv6, and assign IPv6 addresses to each EC2 instance.
B Assign each EC2 instance an IPv6 Elastic IP address. Create a target group, and add the EC2 instances as targets. Create a listener on port 443 of the ALB, and associate the target group with the ALB.
C Replace the ALB with a Network Load Balancer (NLB). Add an IPv6 CIDR block to the VPC and subnets for the NLB, and assign the NLB an IPv6 Elastic IP address.
D Add an IPv6 CIDR block to the VPC and subnets for the ALB. Create a listener on port 443. and specify the dualstack IP address type on the ALB. Create a target group, and add the EC2 instances as targets. Associate the target group with the ALB.

Suggested Answer: D
NOTE: The DevOps engineer should add an IPv6 CIDR block to the VPC and subnets for the ALB. By creating a listener on port 443 and specifying the dualstack IP address type on the ALB, the ALB will be able to handle both IPv4 and IPv6 traffic. The engineer should also create a target group, add the EC2 instances as targets, and associate the target group with the ALB.

Question #27 Topic 1

A company hosts its staging website using an Amazon EC2 instance backed with Amazon EBS storage. The company wants to recover quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance. Which solution will meet these requirements?

A Add the instance to an EC2 Auto Scaling group with the minimum, maximum, and desired capacity set to 1.
B Add the instance to an EC2 Auto Scaling group with a lifecycle hook to detach the EBS volume when the EC2 instance shuts down or terminates.
C Create an Amazon CloudWatch alarm for the StatusCheckFailed System metric and select the EC2 action to recover the instance.
D Create an Amazon CloudWatch alarm for the StatusCheckFailed Instance metric and select the EC2 action to reboot the instance.

Suggested Answer: B
NOTE: Option B, adding the instance to an EC2 Auto Scaling group with a lifecycle hook to detach the EBS volume when the EC2 instance shuts down or terminates, will meet the requirements of recovering quickly with minimal data losses in the event of network connectivity issues or power failures on the EC2 instance. By detaching the EBS volume, the data on it can be preserved and quickly attached to another instance.

Question #28 Topic 1

An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0. The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources. Which combination of steps will meet these requirements? (Choose three.)

A Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
B Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
C Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
D Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
E Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
F Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.

Suggested Answer: ABC
NOTE: The combination of steps A, B, and C will meet the requirements. Step A involves creating IAM policies with required permissions and using the aws:PrincipalTag condition key to scope the permissions. Step B involves creating permission sets and attaching an inline policy with the required permissions, also using the aws:PrincipalTag condition key. Step C involves creating a group in the IdP, placing users in the group, and assigning the group to both accounts and permission sets in IAM Identity Center.

Question #29 Topic 1

A highly regulated company has a policy that DevOps engineers should not log in to their Amazon EC2 instances except in emergencies. If a DevOps engineer does log in, the security team must be notified within 15 minutes of the occurrence. Which solution will meet these requirements?

A Install the Amazon Inspector agent on each EC2 instance. Subscribe to Amazon EventBridge notifications. Invoke an AWS Lambda function to check if a message is about user logins. If it is, send a notification to the security team using Amazon SNS.
B Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user logins. If a login is found, send a notification to the security team using Amazon SNS.
C Set up AWS CloudTrail with Amazon CloudWatch Logs. Subscribe CloudWatch Logs to Amazon Kinesis. Attach AWS Lambda to Kinesis to parse and determine if a log contains a user login. If it does, send a notification to the security team using Amazon SNS.
D Set up a script on each Amazon EC2 instance to push all logs to Amazon S3. Set up an S3 event to invoke an AWS Lambda function, which invokes an Amazon Athena query to run. The Athena query checks for logins and sends the output to the security team using Amazon SNS.

Suggested Answer: B
NOTE: chose option B because it meets the requirements stated in the question. By installing the Amazon CloudWatch agent on each EC2 instance and configuring it to push all logs to Amazon CloudWatch Logs, we can set up a CloudWatch metric filter to search for user logins. If a login is found, we can send a notification to the security team using Amazon SNS.

Question #30 Topic 1

To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed. Which of the following should successfully install the application while complying with the new rule?

A Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
B Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
C Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
D Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.

Suggested Answer: C
NOTE: Option C should successfully install the application while complying with the new rule. By publishing the application artifacts to an Amazon S3 bucket and creating a VPC endpoint for S3, the EC2 instances can access the artifacts without requiring internet access. Assigning an IAM instance profile to the EC2 instances allows them to read the application artifacts from the S3 bucket.