Question No. 1

A company gives its employees limited rights to AWS DevOps engineers have the ability to assume an administrator role. For tracking purposes, the security team wants to receive a near-real-time notification when the administrator role is assumed.

How should this be accomplished?

AConfigure AWS Config to publish logs to an Amazon S3 bucket Use Amazon Athena to query the logs and send a notification to the security team when the administrator role is assumed

BConfigure Amazon GuardDuty to monitor when the administrator role is assumed and send a notification to the security team

CCreate an Amazon EventBridge event rule using an AWS Management Console sign-in events event pattern that publishes a message to an Amazon SNS topic if the administrator role is assumed

DCreate an Amazon EventBridge events rule using an AWS API call that uses an AWS CloudTrail event pattern to invoke an AWS Lambda function that publishes a message to an Amazon SNS topic if the administrator role is assumed.

Show Answer

Correct Answer: D

* Create an Amazon EventBridge Rule Using an AWS CloudTrail Event Pattern:

AWS CloudTrail logs API calls made in your account, including actions performed by roles.

Create an EventBridge rule that matches CloudTrail events where the AssumeRole API call is made to assume the administrator role.

* Invoke an AWS Lambda Function:

Configure the EventBridge rule to trigger a Lambda function whenever the rule's conditions are met.

The Lambda function will handle the logic to send a notification.

* Publish a Message to an Amazon SNS Topic:

The Lambda function will publish a message to an SNS topic to notify the security team.

Subscribe the security team's email address to this SNS topic to receive real-time notifications.

Example EventBridge rule pattern:

{

'source': ['aws.cloudtrail'],

'detail-type': ['AWS API Call via CloudTrail'],

'detail': {

'eventSource': ['sts.amazonaws.com'],

'eventName': ['AssumeRole'],

'requestParameters': {

'roleArn': ['arn:aws:iam:::role/AdministratorRole']

}

Example Lambda function (Node.js) to publish to SNS:

const AWS = require('aws-sdk');

const sns = new AWS.SNS();

exports.handler = async (event) => {

const params = {

Message: `Administrator role assumed: ${JSON.stringify(event.detail)}`,

TopicArn: 'arn:aws:sns:<region>::<sns-topic>'

};

await sns.publish(params).promise();

};

Creating EventBridge Rules

Using AWS Lambda with Amazon SNS

Question No. 2

A DevOps engineer has created an AWS CloudFormation template that deploys an application on Amazon EC2 instances The EC2 instances run Amazon Linux The application is deployed to the EC2 instances by using shell scripts that contain user dat

a. The EC2 instances have an 1AM instance profile that has an 1AM role with the AmazonSSMManagedlnstanceCore managed policy attached

The DevOps engineer has modified the user data in the CloudFormation template to install a new version of the application. The engineer has also applied the stack update. However, the application was not updated on the running EC2 instances. The engineer needs to ensure that the changes to the application are installed on the running EC2 instances.

Which combination of steps will meet these requirements? (Select TWO.)

AConfigure the user data content to use the Multipurpose Internet Mail Extensions (MIME) multipart format. Set the scripts-user parameter to always in the text/cloud-config section.

BRefactor the user data commands to use the cfn-init helper script. Update the user data to install and configure the cfn-hup and cfn-mit helper scripts to monitor and apply the metadata changes

CConfigure an EC2 launch template for the EC2 instances. Create a new EC2 Auto Scaling group. Associate the Auto Scaling group with the EC2 launch template Use the AutoScalingScheduledAction update policy for the Auto Scaling group.

DRefactor the user data commands to use an AWS Systems Manager document (SSM document). Add an AWS CLI command in the user data to use Systems Manager Run Command to apply the SSM document to the EC2 instances

ERefactor the user data command to use an AWS Systems Manager document (SSM document) Use Systems Manager State Manager to create an association between the SSM document and the EC2 instances.

Show Answer

Correct Answer: B, E

Refactor User Data to Use cfn-init and cfn-hup:

cfn-init helps to bootstrap the instance, installing packages and starting services.

cfn-hup is a daemon that can monitor metadata changes and re-apply configurations when necessary.

Example user data script with cfn-init:

#!/bin/bash

yum update -y

yum install -y aws-cfn-bootstrap

/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServer --region ${AWS::Region}

/opt/aws/bin/cfn-hup

Use Systems Manager State Manager:

State Manager can automatically apply an AWS Systems Manager document to instances at regular intervals, ensuring configurations are kept up-to-date.

Steps:

Create an SSM document that installs and configures your application.

Use State Manager to associate this document with your EC2 instances.

Example SSM document:

{

'schemaVersion': '2.2',

'description': 'Install My Application',

'mainSteps': [

{

'action': 'aws:runShellScript',

'name': 'installApplication',

'inputs': {

'runCommand': [

'yum install -y my-application'

]

}

]

}

Create State Manager association:

aws ssm create-association --name 'InstallMyApplication' --instance-id <instance-id> --document-version '\$LATEST'

Using cfn-init and cfn-hup

AWS Systems Manager State Manager

Question No. 3

A company has an application that stores data that includes personally Identifiable Information (Pll) In an Amazon S3 bucket All data Is encrypted with AWS Key Management Service (AWS KMS) customer managed keys. All AWS resources are deployed from an AWS Cloud Formation template.

A DevOps engineer needs to set up a development environment for the application in a different AWS account The data in the development environment's S3 bucket needs to be updated once a week from the production environment's S3 bucket.

The company must not move Pll from the production environment without anonymizmg the Pll first The data in each environment must be encrypted with different KMS customer managed keys.

Which combination of steps should the DevOps engineer take to meet these requirements? (Select TWO )

AActivate Amazon Macie on the S3 bucket In the production account Create an AWS Step Functions state machine to initiate a discovery job and redact all Pll before copying files to the S3 bucket in the development account. Give the state machine tasks decrypt permissions on the KMS key in the production account. Give the state machine tasks encrypt permissions on the KMS key in the development account

BSet up S3 replication between the production S3 bucket and the development S3 bucket Activate Amazon Macie on the development S3 bucket Create an AWS Step Functions state machine to initiate a discovery job and redact all Pll as the files are copied to the development S3 bucket. Give the state machine tasks encrypt and decrypt permissions on the KMS key in the development account.

CSet up an S3 Batch Operations job to copy files from the production S3 bucket to the development S3 bucket. In the development account, configure an
AWS Lambda function to redact all Pll. Configure S3 Object Lambda to use the Lambda function for S3 GET requests Give the Lambda function's 1AM role encrypt and decrypt permissions on the KMS key in the development account.

DCreate a development environment from the CloudFormatlon template in the development account. Schedule an Amazon EventBridge rule to start the AWS Step Functions state machine once a week

ECreate a development environment from the CloudFormation template in the development account. Schedule a cron job on an Amazon EC2 instance to run once a week to start the S3 Batch Operations job.

Show Answer

Correct Answer: A, D

Activate Amazon Macie on the Production S3 Bucket:

Macie can identify and protect sensitive data such as PII.

Create a Step Functions state machine to automate data discovery and redaction before copying it to the development environment.

Example Step Functions state machine:

{

'Comment': 'Anonymize PII and copy data',

'StartAt': 'MacieDiscoveryJob',

'States': {

'MacieDiscoveryJob': {

'Type': 'Task',

'Resource': 'arn:aws:states:::macie:startClassificationJob',

'End': true

}

Create a Development Environment from CloudFormation Template:

Deploy the development environment in a new account using the existing CloudFormation template.

Schedule an EventBridge rule to start the Step Functions state machine on a weekly basis.

EventBridge rule example:

{

'ScheduleExpression': 'rate(7 days)',

'StateMachineArn': 'arn:aws:states:<region>::stateMachine:AnonymizeAndCopyData'

}

By using Macie for data anonymization and Step Functions for automation, you ensure PII is properly handled before data transfer between environments.

Amazon Macie

AWS Step Functions

AWS CloudFormation Templates

Question No. 4

A DevOps engineer needs to implement integration tests into an existing AWS CodePipelme CI/CD workflow for an Amazon Elastic Container Service (Amazon ECS) service. The CI/CD workflow retrieves new application code from an AWS CodeCommit repository and builds a container image. The CI/CD workflow then uploads the container image to Amazon Elastic Container Registry (Amazon ECR) with a new image tag version.

The integration tests must ensure that new versions of the service endpoint are reachable and that vanous API methods return successful response data The DevOps engineer has already created an ECS cluster to test the service

Which combination of steps will meet these requirements with the LEAST management overhead? (Select THREE.)

AAdd a deploy stage to the pipeline Configure Amazon ECS as the action provider

BAdd a deploy stage to the pipeline Configure AWS CodeDeploy as the action provider

CAdd an appspec.yml file to the CodeCommit repository

DUpdate the image build pipeline stage to output an imagedefinitions json file that references the new image tag.

ECreate an AWS Lambda function that runs connectivity checks and API calls against the service. Integrate the Lambda function with CodePipeline by using aLambda action stage

FWrite a script that runs integration tests against the service. Upload the script to an Amazon S3 bucket. Integrate the script in the S3 bucket with CodePipeline by using an S3 action stage.

Show Answer

Correct Answer: A, D, E

* Add a Deploy Stage to the Pipeline, Configure Amazon ECS as the Action Provider:

By adding a deploy stage to the pipeline and configuring Amazon ECS as the action provider, the pipeline can automatically deploy the new container image to the ECS cluster.

This ensures that the service is updated with the new image tag, making the new version of the service endpoint reachable.

* Update the Image Build Pipeline Stage to Output an imagedefinitions.json File that Reference the New Image Tag:

The imagedefinitions.json file provides the necessary information about the container images and their tags for the ECS task definitions.

Updating the pipeline to output this file ensures that the correct image version is deployed.

Example imagedefinitions.json

[

{

'name': 'container-name',

'imageUri': '123456789012.dkr.ecr.region.amazonaws.com/my-repo:my-tag'

}

]

* Reference: CodePipeline ECS Deployment

* Create an AWS Lambda Function that Runs Connectivity Checks and API Calls against the Service. Integrate the Lambda Function with CodePipeline by Using a Lambda Action Stage:

The Lambda function can perform the necessary integration tests by making connectivity checks and API calls to the deployed service endpoint.

Integrating this Lambda function into CodePipeline ensures that these tests are run automatically after deployment, providing near-real-time feedback on the new deployment's health.

Example Lambda function integration:

actions:

- name: TestService

actionTypeId:

category: Test

owner: AWS

provider: Lambda

runOrder: 2

configuration:

FunctionName: testServiceFunction

These steps ensure that the CI/CD workflow deploys the new container image to ECS, updates the image references, and performs integration tests, meeting the requirements with minimal management overhead.

Question No. 5

A company wants to use AWS Systems Manager documents to bootstrap physical laptops for developers The bootstrap code Is stored in GitHub A DevOps engineer has already created a Systems Manager activation, installed the Systems Manager agent with the registration code, and installed an activation ID on all the laptops.

Which set of steps should be taken next?

AConfigure the Systems Manager document to use the AWS-RunShellScnpt command to copy the files from GitHub to Amazon S3, then use the aws-downloadContent plugin with a sourceType of S3

BConfigure the Systems Manager document to use the aws-configurePackage plugin with an install action and point to the Git repository

CConfigure the Systems Manager document to use the aws-downloadContent plugin with a sourceType of GitHub and sourcelnfo with the repository details.

DConfigure the Systems Manager document to use the aws:softwarelnventory plugin and run the script from the Git repository

Show Answer

Correct Answer: C

Configure the Systems Manager Document to Use the aws-downloadContent Plugin with a sourceType of GitHub and sourcelnfo with the Repository Details:

The aws-downloadContent plugin can download content from various sources, including GitHub, which is necessary for bootstrapping the laptops with the code stored in the GitHub repository.

schemaVersion: '2.2'

description: 'Download and run bootstrap script from GitHub'

mainSteps:

- action: aws:downloadContent

name: downloadBootstrapScript

inputs:

sourceType: GitHub

sourceInfo: '{'owner':'my-org','repository':'my-repo','path':'scripts/bootstrap.sh','getOptions':'branch:main'}'

destinationPath: /tmp/bootstrap.sh

- action: aws:runShellScript

name: runBootstrapScript

inputs:

runCommand:

- chmod +x /tmp/bootstrap.sh

- /tmp/bootstrap.sh

This setup ensures that the bootstrap code is downloaded from GitHub and executed on the laptops using Systems Manager.

AWS Systems Manager aws-downloadContent Plugin

Running Commands Using Systems Manager

Amazon DOP-C02 Exam Actual Questions

The questions for DOP-C02 were last updated on Oct 3, 2024.

Unlock All Questions for Amazon DOP-C02 Exam