Question 1

A company runs a workload on Amazon EC2 instances. The company needs a control that requires the use of Instance Metadata Service Version 2 (IMDSv2) on all EC2 instances in the AWS account. If an EC2 instance does not prevent the use of Instance Metadata Service Version 1 (IMDSv1), the EC2 instance must be terminated. Which solution will meet these requirements?

Options :

A :

Set up AWS Config in the account. Use a managed rule to check EC2 instances. Configure the rule to remediate the findings by using AWS Systems Manager Automation to terminate the instance.

B :

Create a permissions boundary that prevents the ec2:Runlnstance action if the ec2:MetadataHttpTokens condition key is not set to a value of required. Attach the permissions boundary to the IAM role that was used to launch the instance.

C :

Set up Amazon Inspector in the account. Configure Amazon Inspector to activate deep inspection for EC2 instances. Create an Amazon EventBridge rule for an Inspector2 finding. Set an AWS Lambda function as the target to terminate the instance.

D :

Create an Amazon EventBridge rule for the EC2 instance launch successful event. Send the event to an AWS Lambda function to inspect the EC2 metadata and to terminate the instance.

Answer: B

Question 2

A company has a suite of applications that uses the MERN stack for the presentation tier and NGINX for the web tier. AWS CodeDeploy will be used to automate its application deployments. The DevOps team created a deployment group for their TEST environment and performed functional tests within the application. The team will set up additional deployment groups for STAGING and PROD environments later on. The current log level is configured within the NGINX settings, but the team wants to change this configuration dynamically when the deployment occurs. This will enable them to set different log level configurations depending on the deployment group without having a different application revision for each group.

Which among the options below provides the LEAST management overhead and does not require different script versions for each deployment group?

Options :

A : Set up a custom environment variable in CodeDeploy for each environment with a value of TEST, STAGING or PROD. Attach a shell script in the application revision that will read the custom variable and determine which deployment group the Amazon EC2 instance is associated with. In the appspec.yml config file, add a reference to this script as part of the ValidateService lifecycle hook. Configure the log level settings of the instance based on the result of the script.

B : Develop a custom shell script that uses the DEPLOYMENT_GROUP_ID environment variable in CodeDeploy to identify which deployment group the Amazon EC2 instance is associated with. In the appspec.yml config file, add a reference to this script as part of the ApplicationStart lifecycle hook. Configure the log level settings of the instance based on the result of the script.

C : Develop a custom shell script that uses the DEPLOYMENT_GROUP_NAME environment variable in CodeDeploy to identify which deployment group the Amazon EC2 instance is associated with. In the appspec.yml config file, add a reference to this script as part of the Beforelnstall lifecycle hook. Configure the log level settings of the instance based on the result of the script.

D : Use the AWS Resource Groups Tag Editor to add a tag on each EC2 instance based on its deployment group. Attach a shell script in the application revision that will fetch the instance tag using the aws ec2 describe-tags CLI command to determine which deployment group the Amazon EC2 instance is associated with. In the appspec.yml config file, add a reference to this script as part of the ValidateService lifecycle hook. Configure the log level settings of the instance based on the result of the script.

Answer: C

Question 3

A leading digital payments company is using AWS to host its suite of web applications which uses external APIs for credit and debit transactions. The current architecture is using CloudTrail with several trails to log all API actions. Each trail is protected with an IAM policy to restrict access from unauthorized users. In order to maintain the system's PCI DSS compliance, a solution must be implemented that allows them to trace the integrity of each file and prevent the files from being tampered.

Which of the following is the MOST suitable solution with the LEAST amount of effort to implement?

Options :

A : In AWS CloudTrail, enable the log file integrity feature on the trail that will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.

B :

Use AWS Config to directly enable the log file integrity feature in CloudTrail. This will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.

C :

Use AWS Systems Manager State Manager to directly enable the log file integrity feature in CloudTrail. This will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.

D : In the Amazon S3 bucket of the trail, enable the log file integrity feature that will automatically generate a digest file for every log file that CloudTrail delivers. Grant the IT Security team full access to download the file integrity logs stored in the S3 bucket via an IAM policy.

Answer: A

Question 4

A company deploys an application in two AWS Regions. The application currently uses an Amazon S3 bucket in the primary Region to store data.

A DevOps engineer needs to ensure that the application is highly available in both Regions. The DevOps engineer has created a new S3 bucket in the secondary Region. All existing and new objects must be in both S3 buckets. The application must fail over between the Regions with no data loss.

Which combination of steps will meet these requirements with the MOST operational efficiency? (Choose three.)

Options :

A : Create a new IAM role that allows the Amazon S3 and S3 Batch Operations service principals to assume the role that has the necessary permissions for S3 replication.

B : Create a new IAM role that allows the AWS Batch service principal to assume the role that has the necessary permissions for S3 replication.

C : . Create an S3 Cross-Region Replication (CRR) rule on the source S3 bucket. Configure the rule to use the IAM role for Amazon S3 to replicate to the target S3 bucket

D : Create a two-way replication rule on the source S3 bucket. Configure the rule to use the IAM role for Amazon S3 to replicate to the target S3 bucket.

E : Create an AWS Batch job that has an AWS Fargate orchestration type. Configure the job to use the IAM role for AWS Batch. Specify a Bash command to use the AWS CLI to synchronize the contents of the source S3 bucket and the target S3 bucket

F : Create an operation in S3 Batch Operations to replicate the contents of the source S3 bucket to the target S3 bucket. Configure the operation to use the IAM role for Amazon S3.

Answer: A,C,F

Question 5

A telecommunications company has a web portal that requires a cross-region failover. The portal stores its data in an Amazon Aurora database in the primary region (us-west-1) and the Parallel Query feature is also enabled in the database to optimize some of the I/O and computation involved in processing data-intensive queries. The portal uses Route 53 to direct customer traffic to the active region.

Which among the options below should be taken to MINIMIZE downtime of the portal in the event that the primary database fails?

Options :

A : Create a CloudWatch Events rule to periodically invoke a Lambda function that checks the health of the primary Amazon Aurora database every hour. Configure the Lambda function to promote the read replica as the primary if a failure was detected. Update the Route 53 record to redirect traffic from the primary to the secondary region.

B : Configure the Route 53 record to balance traffic between both regions equally using the Failover routing policy. Enable the Aurora multi-master option and set up a Route 53 health check to analyze the health of the databases. Set the Route 53 record to automatically direct all traffic to the secondary region when a primary database fails.

C : Launch a read replica of the primary database to the second region. Set up Amazon RDS Event Notification to publish status updates to an SNS topic. Create a Lambda function subscribed to the topic to monitor database health. Configure the Lambda function to promote the read replica as the primary in the event of a failure. Update the Route 53 record to redirect traffic from the primary region to the secondary region.

D : Set up CloudWatch to monitor the status of the Amazon Aurora database. Create a CloudWatch Events rule to send a Slack message to the SysOps Team using Amazon SNS in the event of a database outage. Instruct the SysOps team to redirect traffic to an S3 static website that displays a downtime message. Manually promote the read replica as the primary instance and verify the portal-s status. Redirect traffic from the S3 website to the secondary region.

Answer: C

Higher Test Marks with Free Online DOP-C02 Exam Practice

Buying Options: