AWS Certified DevOps Engineer Professional DOP-C02 (DOP-C02) — Questions 17261740

1740 questions total · 24pages · All types, answers revealed

Page 23

Page 24 of 24

1726
MCQmedium

A DevOps engineer is troubleshooting a failed AWS CloudFormation stack creation. The stack creates an EC2 instance with a user data script that runs a configuration management tool. The instance launches successfully, but the user data script fails. How can the engineer retrieve the user data execution logs to debug the issue?

A.Use AWS CloudTrail to view the user data execution events.
B.Use AWS Systems Manager Run Command to retrieve the logs remotely.
C.Check the CloudWatch Logs group for the instance.
D.Access the instance via EC2 Instance Connect and check /var/log/cloud-init-output.log.
AnswerD

Cloud-init logs contain the output of user data scripts.

Why this answer

Option A is correct. User data scripts run as root, and the output is typically logged to /var/log/cloud-init-output.log on Linux instances. Option B is incorrect because CloudTrail does not capture user data execution logs.

Option C is incorrect because Systems Manager Run Command is not used to retrieve logs from user data. Option D is incorrect because CloudWatch Logs agent must be configured in the user data to send logs; it is not automatically enabled.

1727
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs a centralized solution to detect and respond to EC2 instances that are publicly accessible with SSH open to 0.0.0.0/0. Which combination of services provides the most automated detection and remediation?

A.AWS CloudTrail and Amazon EventBridge
B.Amazon GuardDuty and AWS Lambda
C.AWS Config and Amazon Simple Notification Service (SNS)
D.AWS Config and AWS Systems Manager Automation
AnswerD

Config rule detects non-compliant SG; Systems Manager Automation remediates.

Why this answer

The correct answer is D. AWS Config rules can detect non-compliant security groups, and Systems Manager Automation can remediate by modifying the security group rules. GuardDuty detects threats but not config compliance.

EventBridge alone doesn't remediate. CloudTrail is for auditing API calls.

1728
MCQmedium

A company has a production environment that uses Amazon Route 53 for DNS and an Application Load Balancer (ALB) to distribute traffic to EC2 instances. The company wants to implement a disaster recovery plan that automatically fails over to a secondary region in case the primary region becomes unavailable. Which configuration should be used?

A.Use Route 53 weighted routing policy with equal weights for both regions.
B.Use Route 53 geolocation routing policy to route users based on their location.
C.Use Route 53 failover routing policy with primary and secondary records and health checks.
D.Use Route 53 latency routing policy to route to the region with lowest latency.
AnswerC

Failover routing with health checks automatically redirects traffic if primary fails.

Why this answer

Option B is correct because Route 53 failover routing policy with health checks on the ALB endpoint can automatically route traffic to a secondary endpoint when the primary is unhealthy. Option A is wrong because weighted routing distributes traffic based on weights, not failover. Option C is wrong because latency routing routes based on latency, not automatic failover.

Option D is wrong because geolocation routing routes based on geographic location, not failover.

1729
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer. To improve resilience, they want to automatically replace failed instances. Which AWS service should they use?

A.EC2 Instance Recovery
B.AWS Systems Manager Automation
C.CloudFormation Stack update
D.Auto Scaling group with health checks
AnswerD

Automatically replaces failed instances based on health checks.

Why this answer

Auto Scaling automatically replaces unhealthy instances. ELB health checks integration triggers replacement. Option A is wrong because EC2 Instance Recovery only recovers on the same host.

Option C is wrong because CloudFormation doesn't auto-replace. Option D is wrong because Systems Manager doesn't replace instances.

1730
MCQeasy

A DevOps engineer is implementing AWS Config rules to enforce tagging standards on resources. The rule should trigger a remediation action via AWS Systems Manager Automation to apply the correct tags if a resource is non-compliant. What is the correct way to set up this remediation?

A.Use the AWS Config rule's remediation action to run an AWS Systems Manager Automation document.
B.Configure the AWS Config rule to send events to AWS CodePipeline to trigger a pipeline that fixes the tags.
C.Configure a CloudWatch Events rule to detect non-compliant resources and invoke a Lambda function that applies tags.
D.Use an SNS topic to notify administrators when a resource is non-compliant.
AnswerA

C: Config rules have a built-in remediation feature that can execute an Automation document.

Why this answer

Option C is correct because AWS Config rule remediation actions can be configured to run an Automation document when a resource is non-compliant. Option A is wrong because CloudWatch Events alone cannot run remediation; it would need a target like Lambda. Option B is wrong because SNS notifications are just notifications, not remediation.

Option D is wrong because AWS Config does not directly trigger CodePipeline.

1731
MCQhard

A company runs a containerized microservices application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer to route traffic to the ECS service. Recently, the DevOps team noticed that the ECS service is failing to deploy new tasks during a rolling update. The CloudWatch Logs for the ECS service show that new tasks are failing to start because they cannot pull the container image from Amazon ECR. The error message indicates 'AccessDenied' when attempting to pull the image. The task execution role has the necessary permissions, and the image URI is correct. The VPC has a VPC endpoint for ECR configured. The security group for the tasks allows outbound traffic to the VPC endpoint. What is the MOST likely cause of the access denied error?

A.The task execution role does not have the 'ecr:GetAuthorizationToken' permission.
B.The security group for the ALB does not allow inbound traffic to the ECS tasks.
C.The VPC endpoint for ECR does not have 'Private DNS names enabled' selected.
D.The task role does not have the 'ecr:BatchGetImage' permission.
AnswerC

When private DNS is not enabled, the DNS resolution for ECR endpoints defaults to public IPs, which may not be reachable from the VPC, causing access denied.

Why this answer

Option D is correct because the VPC endpoint for ECR requires private DNS resolution to be enabled for the task to resolve the ECR repository endpoint to the private IP address. Without this, the task tries to connect via the public endpoint, which may be blocked by the security group or route table. Option A is wrong because the task execution role already has the required permissions (the error is not about IAM).

Option B is wrong because the issue is not related to the ALB security group. Option C is wrong because the task role is for application-specific permissions, not for pulling images.

1732
MCQmedium

A company uses AWS Lambda functions to process messages from an Amazon SQS queue. The DevOps team notices that messages are not being processed and are going to the dead-letter queue. The Lambda function code is correct. What is the most likely cause?

A.The Lambda function's execution role lacks the sqs:ReceiveMessage permission.
B.The SQS queue's visibility timeout is too long.
C.The Lambda function timeout is too short.
D.The Lambda function's dead-letter queue is misconfigured.
AnswerA

Without ReceiveMessage permission, Lambda cannot fetch messages, so they eventually go to DLQ.

Why this answer

Option C is correct because if the Lambda function's execution role does not have permission to receive messages from SQS, it cannot process them, causing them to go to DLQ. Option A is wrong because SQS does not have a timeout that causes messages to go to DLQ; that's a Lambda function timeout. Option B is wrong because visibility timeout is set on the queue, not Lambda.

Option D is wrong because DLQ is not used for Lambda errors; it's used for messages that cannot be processed.

1733
MCQhard

A DevOps engineer is troubleshooting an issue where an Amazon RDS instance's CPU utilization is consistently high. The engineer has enabled Performance Insights and sees that the top SQL query is a SELECT statement that scans many rows. What is the best course of action to reduce CPU utilization?

A.Create a read replica to offload read traffic.
B.Increase the allocated storage to improve I/O.
C.Increase the DB instance size to handle the load.
D.Add appropriate indexes to optimize the query.
AnswerD

Indexes reduce the number of rows scanned, lowering CPU usage.

Why this answer

Option D is correct because adding appropriate indexes can reduce the number of rows scanned, thus reducing CPU usage. Option A is wrong because increasing instance size is a temporary fix. Option B is wrong because read replicas are for read traffic, not for reducing CPU on the primary.

Option C is wrong because increasing storage does not reduce CPU.

1734
MCQhard

A DevOps engineer is reviewing the CodePipeline structure above. The pipeline fails during the Deploy stage with an error: 'The deployment group could not be found.' What is the most likely cause?

A.The pipeline is configured as a single-region pipeline, but the Deploy action is in a different region.
B.The source artifact is not accessible from us-west-2.
C.The CodeDeploy application does not exist in us-west-2.
D.The CodeBuild project is not configured to output artifacts.
AnswerA

Cross-region actions require explicit configuration; the pipeline is in us-east-1 and cannot deploy to us-west-2 without cross-region setup.

Why this answer

The pipeline stages are in different regions: Build in us-east-1, Deploy in us-west-2. CodePipeline does not support cross-region actions unless cross-region action is configured with proper artifact storage. The default pipeline runs in a single region.

Option B is correct.

1735
MCQmedium

A company uses AWS Elastic Beanstalk for deploying a web application. The development team wants to implement a blue/green deployment strategy to minimize downtime. Which approach should they use?

A.Update the Auto Scaling group launch configuration and gradually replace instances.
B.Create a new CodeDeploy deployment group and use the blue/green deployment configuration.
C.Create a new Elastic Beanstalk environment and swap the environment CNAMEs.
D.Create a new target group and register instances from the old environment.
AnswerC

Elastic Beanstalk provides environment swapping for blue/green.

Why this answer

Option D is correct because Elastic Beanstalk supports blue/green deployments by swapping CNAME records between two environments. Option A is wrong because Elastic Beanstalk does not natively use CodeDeploy for blue/green; it has its own swap method. Option B is wrong because updating the Auto Scaling group is not a blue/green approach.

Option C is wrong because updating the load balancer target group is more of a rolling update.

1736
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer. The application experiences intermittent failures due to a single Availability Zone failing. Which solution is MOST resilient and cost-effective?

A.Use a larger instance type in the same Availability Zone
B.Use an Auto Scaling group with a single instance in each of three Availability Zones and a Network Load Balancer
C.Migrate to a single larger instance in a different region
D.Deploy EC2 instances across two Availability Zones and configure the ALB to distribute traffic
AnswerD

Provides fault isolation and load balancing across zones.

Why this answer

Option B is correct because distributing instances across multiple Availability Zones ensures high availability without over-provisioning. Option A is wrong because it only adds capacity in one zone. Option C is wrong because it is more expensive and complex.

Option D is wrong because it does not address availability zone failure.

1737
Multi-Selecteasy

A DevOps engineer needs to monitor the health of a web application running on EC2 instances behind an Application Load Balancer (ALB). Which TWO metrics from ALB should be monitored to detect application errors? (Choose TWO.)

Select 2 answers
A.RequestCount.
B.HTTPCode_ELB_5XX_Count.
C.HTTPCode_Target_5XX_Count.
D.HealthyHostCount.
E.TargetResponseTime.
AnswersC, E

This metric counts HTTP 5xx responses from targets.

Why this answer

Option A is correct because HTTPCode_Target_5XX_Count indicates server errors. Option B is correct because TargetResponseTime can indicate performance issues leading to errors. Option C is wrong because RequestCount is total requests, not errors.

Option D is wrong because HealthyHostCount is about host health, not application errors. Option E is wrong because HTTPCode_ELB_5XX_Count is for ALB itself, not targets.

1738
Multi-Selectmedium

Which THREE are valid AWS Systems Manager capabilities for configuration management? (Select THREE.)

Select 3 answers
A.Run Command
B.OpsCenter
C.Parameter Store
D.Patch Manager
E.State Manager
AnswersA, D, E

For ad-hoc command execution.

Why this answer

Option A is correct because State Manager is used for configuration management. Option C is correct because Patch Manager manages patching. Option E is correct because Run Command executes commands remotely.

Option B is wrong because OpsCenter is for operational issues. Option D is wrong because Parameter Store is for secrets management, not configuration management per se.

1739
MCQmedium

A DevOps team uses AWS CodePipeline with a multi-branch strategy. The pipeline should deploy to production only from the 'main' branch, but run unit tests for all branches. How should the team configure the pipeline?

A.Configure the pipeline source stage to trigger on all branches, use branch-specific logic in the test stage, and add a manual approval step for production deployment only when the branch is 'main'.
B.Use an AWS Lambda function to check the branch name and invoke different CodePipeline executions for testing and deployment.
C.Create one pipeline with two source stages: one for 'main' and one for all other branches, each with its own test and deploy actions.
D.Create a separate pipeline for each branch, each with identical test and deploy stages.
AnswerA

Branch filtering in source stage and conditional deployment is the recommended approach.

Why this answer

Option C is correct because CodePipeline can use branch filtering in the source stage to trigger on specific branches, and the test stage can be configured to run for all branches. Option A is wrong because a single pipeline cannot have dynamic branch-based stages without multiple pipelines. Option B is wrong because separate pipelines per branch would duplicate effort.

Option D is wrong because Lambda triggers are not the standard way to implement branch-based logic; branch filtering is native.

1740
Multi-Selectmedium

A company uses AWS CloudFormation to manage a production environment with multiple stacks. The DevOps team needs to implement a change management process that requires approval for any changes to the production stack. Which approaches meet this requirement? (Choose TWO.)

Select 2 answers
A.Create an IAM policy that allows only read-only access to the production stack and a separate role with write access.
B.Require that all stack updates be performed through a change set that is reviewed and executed by a separate role.
C.Use AWS CodePipeline with a manual approval step before executing a CloudFormation change set.
D.Use AWS Config rules to detect unapproved changes and automatically revert them.
E.Use an SCP to deny all CloudFormation actions except from a specific CI/CD role.
AnswersB, C

B: Change sets allow previewing changes; a separate role can execute after review.

Why this answer

Options B and C are correct. B: Using a change set allows reviewing proposed changes without applying them. C: StackSets with approval workflows are not standard; however, using a separate pipeline with a manual approval step in CodePipeline before executing the change set is a valid approach.

Option A is wrong because SCPs cannot control CloudFormation changes specifically. Option D is wrong because IAM policies can restrict who can update, but not provide an approval workflow. Option E is wrong because Config rules are detective, not preventive.

Page 23

Page 24 of 24