Back to AWS Certified DevOps Engineer Professional DOP-C02 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise AWS Certified DevOps Engineer Professional DOP-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
DOP-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related DOP-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A DevOps engineer is troubleshooting an application running on an EC2 instance. The application needs to access an Amazon RDS database using IAM database authentication. The EC2 instance is associated with an IAM role 'EC2-AppRole', and the RDS instance has a resource-based policy that allows 'DatabaseAccessRole' to connect. The engineer sees the error in the exhibit. What is the most likely cause?

Exhibit

Refer to the exhibit.

Error log from an application instance:

2023-10-01T12:34:56Z ERROR Failed to assume role: AccessDenied
User: arn:aws:sts::123456789012:assumed-role/EC2-AppRole/i-0a1b2c3d4e5f
is not authorized to perform: sts:AssumeRole on resource:
arn:aws:iam::123456789012:role/DatabaseAccessRole
Question 2hardmultiple choice
Review the full subnetting walkthrough →

A DevOps engineer receives the error shown in the exhibit when attempting to update an existing CloudFormation stack that deploys a VPC with subnets. The stack was created successfully earlier using the same template. What is the most likely cause of this error?

Exhibit

Refer to the exhibit.

Error log from AWS CloudFormation stack update:

"Resource handler returned message: 'User: arn:aws:sts::123456789012:assumed-role/AdminRole/UpdateUser is not authorized to perform: ec2:DescribeSubnets on resource: arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0bb1c79de3EXAMPLE' (Service: Ec2, Status Code: 403, Request ID: ...)"
Question 3hardmultiple choice
Full question →

Refer to the exhibit. A CodePipeline deployment fails at the CloudFormation stage. The Lambda function creation is cancelled. What is the MOST likely cause?

Exhibit

CodePipeline execution details:
- Source: CodeCommit (branch: main)
- Build: CodeBuild (buildspec.yml)
- Deploy: CloudFormation (template.yml)
- Status: Failed at Deploy stage
- Error message: "The following resource(s) failed to create: [MyLambdaFunction]. WaitCondition received 1 unique messages. UniqueId count: 1. Received: 'CREATE_FAILED'"
- CloudFormation stack events: "Resource creation cancelled" for a Lambda function with a VPC configuration.
- Build logs show: "npm install succeeded, tests passed"
Question 4hardmultiple choice
Full question →

Refer to the exhibit. The deployment succeeded but the application fails. What is the MOST likely cause?

Exhibit

CodePipeline execution history:
Pipeline: MyPipeline
Date: 2024-03-01
Stage: Deploy
Action: DeployToECS

Execution ID: e-123456789
Status: Succeeded

Revision: commit SHA abc123
Deployment details:
  - ECS service: my-service
  - Task definition: my-task:12
  - Desired count: 2
  - Running count: 2
  - Pending count: 0

After deployment, application health checks fail. Rolling back to previous revision (task definition my-task:11) resolves the issue.

CloudWatch Logs from ECS tasks:
[ERROR] Failed to connect to database: TimeoutError: connect ETIMEDOUT 10.0.0.5:5432
Question 5hardmultiple choice
Full question →

Refer to the exhibit. A CloudFormation template creates a Lambda function. After deployment, the function fails with a timeout error. Logs are not being created in CloudWatch. What is the most likely cause?

Exhibit

Refer to the exhibit.

Resources:
  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Handler: index.handler
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: python3.9
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: LambdaPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: logs:CreateLogGroup
                Resource: arn:aws:logs:us-east-1:123456789012:*
              - Effect: Allow
                Action: logs:CreateLogStream
                Resource: arn:aws:logs:us-east-1:123456789012:*
              - Effect: Allow
                Action: logs:PutLogEvents
                Resource: arn:aws:logs:us-east-1:123456789012:*
Question 6mediummultiple choice
Full question →

Refer to the exhibit. A network engineer reviews VPC Flow Logs. Which statement about the traffic is correct?

Exhibit

VPC Flow Logs record (space-separated):
2 123456789012 eni-12345 10.0.1.5 10.0.2.10 443 12345 6 10 5000 1625256000 1625256060 ACCEPT OK
2 123456789012 eni-12345 10.0.2.10 10.0.1.5 56789 443 6 20 10000 1625256000 1625256060 ACCEPT OK
2 123456789012 eni-12345 10.0.1.5 203.0.113.1 443 80 6 5 250 1625256000 1625256060 REJECT OK
Question 7mediummultiple choice
Full question →

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot push to the 'MyRepo' repository. What is the likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "codecommit:GitPull",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "codecommit:GitPush",
      "Resource": "arn:aws:codecommit:us-east-1:123456789012:MyRepo"
    }
  ]
}
Question 8hardmultiple choice
Full question →

Refer to the exhibit. A CodeBuild project uses this buildspec. The build fails with the error: 'The runtime version specified is not supported in this environment.' What change should be made?

Exhibit

Refer to the exhibit.

# Buildspec.yml
version: 0.2
phases:
  install:
    runtime-versions:
      nodejs: 12
    commands:
      - npm install
  build:
    commands:
      - npm run build
artifacts:
  files:
    - '**/*'
Question 9mediummultiple choice
Full question →

Refer to the exhibit. A DevOps engineer runs the AWS CLI command to list deployments for an application. The output shows only 2 deployments, but the team knows there are more. How can the engineer retrieve the remaining deployments?

Network Topology
$ aws deploy list-deploymentsapplication-name MyAppdeployment-group-name MyDGmax-items 5Refer to the exhibit."deployments": ["d-ABCDEFGHI","d-JKLMNOPQR"],"nextToken": "abc123"
Question 10mediummultiple choice
Full question →

Refer to the exhibit. A CodePipeline service role has this IAM policy attached. The pipeline's deploy stage uses CodeDeploy to perform an ECS blue/green deployment. The deployment fails with an access denied error. What is the MOST likely missing permission?

Exhibit

Refer to the exhibit.

# IAM Policy for CodePipeline Service Role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codedeploy:CreateDeployment",
        "codedeploy:GetDeployment",
        "codedeploy:GetDeploymentGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeServices"
      ],
      "Resource": "arn:aws:ecs:us-east-1:123456789012:service/my-service"
    }
  ]
}
Question 11hardmultiple choice
Full question →

Refer to the exhibit. A developer runs this buildspec in CodeBuild to deploy a CDK application. The build succeeds, but the CDK stack is not deployed. What is the MOST likely reason?

Network Topology
- npx cdk deployrequire-approval neverRefer to the exhibit.# CodeBuild buildspec.ymlversion: 0.2phases:install:runtime-versions:nodejs: 14commands:- npm installbuild:- npm run build- npx cdk synthpost_build:artifacts:files:- '**/*'base-directory: 'cdk.out'
Question 12mediummultiple choice
Full question →

Refer to the exhibit. A DevOps engineer sees this output when listing pipelines. The pipeline 'my-app-pipeline' has execution mode set to 'QUEUED'. The team reports that when multiple commits are pushed simultaneously, only the latest commit is deployed, and earlier ones are skipped. How should the pipeline execution mode be changed to ensure all commits are deployed?

Exhibit

Refer to the exhibit.

# AWS CLI output from 'aws codepipeline list-pipelines'
{
  "pipelines": [
    {
      "name": "my-app-pipeline",
      "version": 5,
      "created": 1620000000.0,
      "pipelineType": "V1",
      "executionMode": "QUEUED"
    }
  ]
}
Question 13hardmultiple choice
Full question →

Refer to the exhibit. An alarm is configured as shown. The CPU utilization averages 85% for 10 minutes, then spikes to 95% for the next 5 minutes, and returns to 80%. How many times will the SNS topic receive a notification?

Exhibit

CloudWatch Alarm configuration (JSON):
{
  "AlarmName": "HighCPU",
  "AlarmDescription": "Alarm when CPU exceeds 90% for 5 minutes",
  "ActionsEnabled": true,
  "OKActions": ["arn:aws:sns:us-east-1:123456789012:MyTopic"],
  "AlarmActions": ["arn:aws:sns:us-east-1:123456789012:MyTopic"],
  "InsufficientDataActions": [],
  "MetricName": "CPUUtilization",
  "Namespace": "AWS/EC2",
  "Statistic": "Average",
  "Period": 300,
  "EvaluationPeriods": 2,
  "Threshold": 90.0,
  "ComparisonOperator": "GreaterThanThreshold"
}
Question 14hardmultiple choice
Full question →

Refer to the exhibit. An IAM policy is attached to a role used by a CI/CD system. The policy is intended to allow starting the pipeline 'MyPipeline' from the same account. However, the CI/CD system receives an 'AccessDenied' error when trying to start the pipeline. What is the problem?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "codepipeline:StartPipelineExecution",
      "Resource": "arn:aws:codepipeline:us-east-1:123456789012:MyPipeline"
    },
    {
      "Effect": "Deny",
      "Action": "codepipeline:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceAccount": "123456789012"
        }
      }
    }
  ]
}
Question 15mediummultiple choice
Full question →

Refer to the exhibit. A DevOps engineer sees the following error when trying to update a CloudFormation stack: 'Stack [arn:aws:cloudformation:us-west-2:123456789012:stack/MyStack/abc123] is in ROLLBACK_COMPLETE state and can not be updated.' What should the engineer do to proceed?

Exhibit

arn:aws:cloudformation:us-west-2:123456789012:stack/MyStack/abc123

These DOP-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style DOP-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.