DOP-C02 Amazon Web Services AWS Certified DevOps Engineer - Professional Free Practice Exam Questions (2026 Updated)

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

To meet the requirements of migrating its on-premises Windows and Linux applications to AWS and creating a pilot light DR environment in another AWS Region, the company should use Amazon FSx for NetApp ONTAP for the application storage. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, high-performing, and feature-rich file storage built on NetApp’s popular ONTAP file system. FSx for ONTAP supports multiple protocols, including SMB for Windows and NFS for Linux, so the company can access the shared storage from both types of applications. FSx for ONTAP also supports NetApp SnapMirror replication, which enables the company to replicate the storage to the DR Region. NetApp SnapMirror replication is efficient, secure, and incremental, and it preserves the data deduplication and compression benefits of FSx for ONTAP. The company can use automation to launch and configure the EC2 instances in the DR Region and then use NetApp SnapMirror to restore the data from the primary Region.

The other options are not correct because they do not meet the requirements or follow best practices. Using Amazon S3 for the application storage is not a good option because S3 is an object storage service that does not support SMB or NFS protocols natively. The company would need to use additional services or software to mount S3 buckets as file systems, which would add complexity and cost. Using Amazon EBS for the application storage is also not a good option because EBS is a block storage service that does not support SMB or NFS protocols natively. The company would need to set up and manage file servers on EC2 instances to provide shared access to the EBS volumes, which would add overhead and maintenance. Using a Volume Gateway in AWS Storage Gateway for the application storage is not a valid option because Volume Gateway does not support SMB protocol. Volume Gateway only supports iSCSI protocol, which means that only Linux applications can access the shared storage.

1: What is Amazon FSx for NetApp ONTAP? - FSx for ONTAP

2: Amazon FSx for NetApp ONTAP

3: Amazon FSx for NetApp ONTAP | NetApp

4: AWS Announces General Availability of Amazon FSx for NetApp ONTAP

Replicating Data with NetApp SnapMirror - FSx for ONTAP

What Is Amazon S3? - Amazon Simple Storage Service

What Is Amazon Elastic Block Store (Amazon EBS)? - Amazon Elastic Compute Cloud

What Is AWS Storage Gateway? - AWS Storage Gateway

For pull through cache repositories, Amazon ECR now supports repository creation templates that can be applied to a registry prefix, such as /external . These templates define default settings, including encryption configuration with a specific KMS key , tag immutability, scan on push, and more. When new cache repositories are auto-created under that prefix, they inherit the template settings automatically.

In this scenario, existing external cache repositories are noncompliant because they use SSE-S3. The company can delete those repositories (removing the noncompliant caches) and configure an ECR repository creation template for the /external prefix that specifies the required customer managed KMS key. As new images are pulled, ECR recreates the cache repositories under that prefix with KMS encryption using the specified key , guaranteeing compliance going forward.

Option A (AWS Config) would only detect noncompliance after creation and cannot enforce encryption at creation time. Option C (SCP) cannot directly control repository encryption properties. Option D misuses EventBridge; KMS cannot be a “target” that retroactively encrypts repositories.

Therefore, using an ECR repository creation template with the desired KMS key is the correct, automatic, and secure solution.

The requirement is to deploy a stateless application with multi-Region fault tolerance , ensuring high availability even if an entire AWS Region becomes unavailable. For this design, traffic must be actively served from both Regions, not only during a failure event.

Option C correctly implements an active-active, multi-Region architecture . By deploying the application to both EKS clusters , each Region is capable of serving traffic independently. Using Amazon Route 53 weighted routing , traffic is distributed across both Application Load Balancers, allowing both Regions to handle requests simultaneously. If one Region becomes unhealthy, Route 53 health checks can stop routing traffic to that Region, maintaining availability.

Implementing Kubernetes readiness and liveness probes ensures that traffic is only sent to healthy pods within each cluster. This provides fault tolerance at both the container level (pod health) and the Regional level (Route 53 routing).

Option A uses a failover routing policy, which results in an active-passive design. While fault tolerant, it does not utilize both Regions simultaneously and provides slower recovery during Region failure. Options B and D deploy the application only in the primary Region, which does not meet multi-Region fault tolerance requirements.

Therefore, Option C delivers the most resilient, highly available, and AWS-recommended architecture for a stateless, multi-Region EKS application.

https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-steps.html

Verify No SCP Blocking Access:

Ensure that no Service Control Policy (SCP) is blocking access for developers to the S3 bucket. SCPs are applied at the organization or organizational unit (OU) level in AWS Organizations and can restrict what actions users and roles in the affected accounts can perform.

Verify No IAM Policy Permissions Boundaries Blocking Access:

IAM permissions boundaries can limit the maximum permissions that a user or role can have. Verify that these boundaries are not restricting access to the S3 bucket.

Make Necessary Changes to SCP and IAM Policy Permissions Boundaries:

Adjust the SCPs and IAM permissions boundaries if they are found to be the cause of the access issue. Make sure these changes are reflected in the code maintained in the AWS CodeCommit repository.

Invoke Deployment Through CloudFormation:

Commit the updated policies to the CodeCommit repository.

Use AWS CloudFormation to deploy the changes across the relevant accounts and resources to ensure that the updated permissions are applied consistently.

By ensuring no SCPs or IAM policy permissions boundaries are blocking access and making necessary changes if they are, the DevOps engineer can resolve the access issue for developers trying to access the S3 bucket.

https://aws.amazon.com/blogs/devops/how-to-test-and-debug-aws-codedeploy-locally-before-you-ship-your-code/#:~:text=You%20can%20test%20application%20code,local%20server%20or%20EC2%20instance.

To meet the requirements of creating a new Organizations account structure with an appropriate SCP that supports the use of only services that are currently active in the AWS account, the company should use the following solution:

Create an SCP that allows the services that IAM Access Analyzer identifies. IAM Access Analyzer is a service that helps identify potential resource-access risks by analyzing resource-based policies in the AWS environment. IAM Access Analyzer can also generate IAM policies based on access activity in the AWS CloudTrail logs. By using IAM Access Analyzer, the company can create an SCP that grants only the permissions that are required for the application to run, and denies all other services. This way, the company can enforce the use of only approved AWS services and reduce the risk of unauthorized access12

Create an OU for the account. Move the account into the new OU. An OU is a container for accounts within an organization that enables you to group accounts that have similar business or security requirements. By creating an OU for the account, the company can apply policies and manage settings for the account as a group. The company should move the account into the new OU to make it subject to the policies attached to the OU3

Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU. An SCP is a type of policy that specifies the maximum permissions for an organization or organizational unit (OU). By attaching the new SCP to the new OU, the company can restrict the services that are available to all accounts in that OU, including the account that runs the application. The company should also detach the default FullAWSAccess SCP from the new OU, because this policy allows all actions on all AWS services and might override or conflict with the new SCP45

The other options are not correct because they do not meet the requirements or follow best practices. Creating an SCP that denies the services that IAM Access Analyzer identifies is not a good option because it might not cover all possible services that are not approved or required for the application. A deny policy is also more difficult to maintain and update than an allow policy. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the organization’s root is not a good option because it might affect other accounts and OUs in the organization that have different service requirements or approvals. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the management account is not a valid option because SCPs cannot be attached directly to accounts, only to OUs or roots.

1: Using AWS Identity and Access Management Access Analyzer - AWS Identity and Access Management

2: Generate a policy based on access activity - AWS Identity and Access Management

3: Organizing your accounts into OUs - AWS Organizations

4: Service control policies - AWS Organizations

5: How SCPs work - AWS Organizations

https://blog.fourninecloud.com/auto-scaling-lifecycle-hooks-to-export-server-logs-when-instance-terminating-58e06d7c0d6a

https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html

A- https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent.html D - This option correctly utilizes AWS CodePipeline to invoke the CodeBuild job and create CloudFormation change sets. It adds a manual approval step before executing the change sets and starting the AWS CodeDeploy deployment. This ensures that the deployment process is automated while retaining the final manual approval step.

Amazon Redshift supports audit logging which can be configured to log user activity, including queries and user changes. The logs can be delivered to an S3 bucket (Option B), which is the standard location for Redshift audit logs.

While Redshift can send some logs to CloudWatch, the native audit logging is typically routed to S3. Creating a CloudWatch dashboard with a log widget (Option D) allows visualization of user activities from logs ingested into CloudWatch Logs or through custom processing.

Option A is invalid because CloudTrail does not capture Redshift query logs directly. Option C incorrectly assumes Redshift audit logs can be delivered directly to CloudWatch. Option E adds complexity by requiring Lambda and Athena unnecessarily when direct visualization in CloudWatch is simpler.

Option A directly matches all requirements with the least extra infrastructure:

State Manager is the Systems Manager capability for defining and maintaining a desired configuration by running associations on a schedule (for example, hourly). That satisfies the “run periodically” requirement in a managed way across a large fleet.

The AWS-ApplyChefRecipes Systems Manager document is specifically intended to run Chef recipes/cookbooks on managed instances without requiring you to run your own Chef server infrastructure . You can point it at a cookbook source (such as an artifact/repo location) and have Systems Manager handle execution on the instances.

Why the other options aren’t correct:

B is not the right mechanism for periodic Chef cookbook execution. Installing an application package and running a “repair action” via Run Command is not the purpose-built Chef cookbook runner, and it’s more brittle/DIY than State Manager associations.

C ( AWS-RefreshAssociation ) is used to refresh/reevaluate association metadata/targets; it does not itself execute Chef cookbooks as the compliance mechanism.

D is for OS patching compliance (Patch Manager/patch policies), not for applying Chef cookbooks that detect and remediate configuration drift.

https://aws.amazon.com/blogs/mt/automate-remediation-actions-for-amazon-ec2-notifications-and-beyond-using-ec2-systems-manager-automation-and-aws-health/

Use routing configuration on an alias to send a portion of traffic to a second function version. For example, you can reduce the risk of deploying a new version by configuring the alias to send most of the traffic to the existing version, and only a small percentage of traffic to the new version. https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

The following are the steps involved in the deploy stage configuration that will meet the requirements:

Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions.

Publish a new version of the functions, and include Amazon CloudWatch alarms.

Update the production alias to point to the new version.

Configure rollbacks to occur when an alarm is in the ALARM state.

This configuration will help to reduce the customer impact of an unsuccessful deployment by deploying the new version of the functions to a staging environment first. This will allow the DevOps engineer to test the new version of the functions before deploying it to production.

The configuration will also help to monitor for issues by including Amazon CloudWatch alarms. These alarms will alert the DevOps engineer if there are any problems with the new version of the functions.

The requirements describe a classic attribute-based access control (ABAC) model using AWS IAM. The company already has consistent tagging across users and resources, which is ideal for ABAC and least-privilege enforcement at scale.

First, Option A is required because IAM roles should represent job functions (developer vs. database administrator) and be scoped per project. Creating separate roles per project and job function allows permissions to be isolated cleanly and prevents cross-project access.

Second, Option B enforces project-level isolation at the policy level . By modifying the existing job-function policies to include a StringEquals condition that compares aws:ResourceTag/Project with aws:PrincipalTag/Project, access is automatically limited to only those resources that belong to the same project as the user. This is an AWS-recommended ABAC pattern and avoids policy sprawl.

Third, Option C is required so users can assume roles only when their tags match the role’s tags . An IAM policy attached to users that allows sts:AssumeRole only if both project and job function tags match ensures users cannot assume roles outside their assigned scope.

Options D, E, and F either misapply policies to the wrong entities, misuse tagging on policies (which IAM does not evaluate for authorization), or introduce unnecessary group-based management that conflicts with the ABAC design.

Therefore, A, B, and C together provide least privilege, project isolation, and scalable access control with minimal ongoing administration.

 Use AWS Step Functions to Orchestrate Processing:

AWS Step Functions allow you to build distributed applications by combining AWS Lambda functions or other AWS services into workflows.

Decoupling the processing into Step Functions tasks enables you to retry individual steps without reprocessing the entire record.

 Architectural Steps:

Create a web application to pass records to AWS Step Functions:

The web application can be a simple frontend that receives input and triggers the Step Functions workflow.

Define a Step Functions state machine:

Each step in the state machine represents a processing stage. If a step fails, Step Functions can retry the step based on defined conditions.

Use AWS Lambda functions:

Lambda functions can be used to handle each processing step. These functions can be stateless and handle specific tasks, reducing the complexity of error handling and reprocessing logic.

 Operational Efficiency:

Using Step Functions and Lambda improves operational efficiency by providing built-in error handling, retries, and state management.

This architecture scales automatically and isolates failures to individual steps, ensuring only failed steps are retried.