DOP-C02 Amazon Web Services AWS Certified DevOps Engineer - Professional Free Practice Exam Questions (2026 Updated)

This hook runs before the new application version is installed on the replacement instances. This is the best place to run the script because it ensures that the license file is downloaded and installed before the replacement instances start to handle request traffic. If you use any other hook, you may encounter errors or inconsistencies in your application.

Account Factory Customization (AFC) automates Control Tower account provisioning with baseline blueprints for networking, logging, and guardrails. It integrates natively and minimizes overhead, per AWS Control Tower documentation.

ECR Lifecycle Policies automatically manage image retention based on tag status, age, or count. They execute natively within the ECR service, requiring no external management or scripts — the least overhead and AWS-recommended cleanup method.

To meet the requirements, the DevOps engineer needs to configure the CloudWatch alarm to stop the EC2 instances when the average of the NetworkPacketsIn metric is less than 5 for at least 3 hours in a 12-hour time window. This means that the alarm should trigger when 3 out of 12 datapoints are below the threshold of 5. The alarm should also treat missing data as not breaching the threshold, so that the EC2 instances continue to run if there is no data for the metric during the evaluation period. The DevOps engineer can add an EC2 action to stop the instance when the alarm enters the ALARM state, which is a built-in action type for CloudWatch alarms.

 Configure AWS Systems Manager on Each Instance:

AWS Systems Manager provides a unified interface for managing AWS resources. Install the Systems Manager agent on each EC2 instance to enable inventory management and other features.

 Use AWS Systems Manager Inventory:

Systems Manager Inventory collects metadata about your instances and the software installed on them. This data includes information about applications, network configurations, and more.

Enable Systems Manager Inventory on all EC2 instances to gather detailed information about installed applications.

 Use Systems Manager Resource Data Sync to Synchronize and Store Findings in an Amazon S3 Bucket:

Resource Data Sync aggregates inventory data from multiple accounts and regions into a single S3 bucket, making it easier to query and analyze the data.

Configure Resource Data Sync to automatically transfer inventory data to an S3 bucket for centralized storage.

 Create an AWS Lambda Function that Runs When New Objects are Added to the S3 Bucket:

Use an S3 event to trigger a Lambda function whenever new inventory data is added to the S3 bucket.

The Lambda function can parse the inventory data and check for the presence of prohibited applications.

 Configure the Lambda Function to Identify Prohibited Applications:

The Lambda function should be programmed to scan the inventory data for any known prohibited applications and generate alerts or take appropriate actions if such applications are found.

Example Lambda function in Python

import json

import boto3

def lambda_handler(event, context):

s3 = boto3.client( ' s3 ' )

bucket = event[ ' Records ' ][0] [ ' s3 ' ][ ' bucket ' ][ ' name ' ]

key = event[ ' Records ' ][0] [ ' s3 ' ][ ' object ' ][ ' key ' ]

response = s3.get_object(Bucket=bucket, Key=key)

inventory_data = json.loads(response[ ' Body ' ].read().decode( ' utf-8 ' ))

prohibited_apps = [ ' app1 ' , ' app2 ' ]

for instance in inventory_data[ ' Instances ' ]:

for app in instance[ ' Applications ' ]:

if app[ ' Name ' ] in prohibited_apps:

# Send notification or take action

print(f " Prohibited application found: {app[ ' Name ' ]} on instance {instance[ ' InstanceId ' ]} " )

return { ' statusCode ' : 200, ' body ' : json.dumps( ' Check completed ' )}

By leveraging AWS Systems Manager Inventory, Resource Data Sync, and Lambda, this solution provides an efficient and automated way to audit EC2 instances for prohibited applications.

 Step 1: Creating a Centralized Domain in the Shared Services Account

To manage application package dependencies across multiple accounts, the most efficient solution is to create a centralized domain in the shared services account. This allows all application teams to access and manage package repositories within the same domain, ensuring consistency and centralization.

Action: Create a domain in the shared services account.

Why: A single, centralized domain reduces the need for redundant management in each application team ' s account.

The solution that meets the requirements is to use EC2 Image Builder to create a container image pipeline, use Amazon ECR as the target repository, turn on enhanced scanning on the ECR repository, create an Amazon EventBridge rule to capture an Inspector2 finding event, and use the event to invoke the image pipeline. Re-upload the container to the repository.

This solution will continuously monitor the container repository for vulnerabilities using enhanced scanning, which is a feature of Amazon ECR that provides detailed information and guidance on how to fix security issues found in your container images. Enhanced scanning uses Inspector2, a security assessment service that integrates with Amazon ECR and generates findings for any vulnerabilities detected in your images. You can use Amazon EventBridge to create a rule that triggers an action when an Inspector2 finding event occurs. The action can be to invoke an EC2 Image Builder pipeline, which is a service that automates the creation of container images. The pipeline can use the latest patches and updates to build a new container image and upload it to the same ECR repository, replacing the vulnerable image.

The other options are not correct because they do not meet all the requirements or use services that are not relevant for the scenario.

Option B is not correct because it uses Amazon GuardDuty Malware Protection, which is a feature of GuardDuty that detects malicious activity and unauthorized behavior on your AWS accounts and resources. GuardDuty does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.

Option C is not correct because it uses basic scanning on the ECR repository, which only provides a summary of the vulnerabilities found in your container images. Basic scanning does not use Inspector2 or generate findings that can be captured by Amazon EventBridge. Moreover, basic scanning does not provide guidance on how to fix the vulnerabilities.

Option D is not correct because it uses AWS Systems Manager Compliance, which is a feature of Systems Manager that helps you monitor and manage the compliance status of your AWS resources based on AWS Config rules and AWS Security Hub standards. Systems Manager Compliance does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.

The correct answer is D. The scenario requires a solution that can migrate an application from on premises to AWS, run on specific versions of Apache Tomcat, HAProxy, and Varnish Cache, tune the operating system-level parameters, automate the deployment of new application versions, and scale and replace faulty servers automatically. Option D meets all these requirements by using AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, and Amazon EC2 Auto Scaling. AWS CodeCommit is a fully managed source control service that hosts Git repositories and works with Git-based tools. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services, including Amazon EC2, AWS Fargate, AWS Lambda, and on-premises servers. AWS CodePipeline is a fully managed continuous delivery service that helps automate the release pipelines for fast and reliable application updates. Amazon EC2 Auto Scaling helps maintain application availability and allows scaling of Amazon EC2 capacity up or down automatically according to the defined conditions. By using these services together, the DevOps engineer can migrate the application code to AWS, configure and install the necessary software using the appspec.yml file, automate the deployment process using the pipeline, and scale and replace the servers using the Auto Scaling group.

Option A is incorrect because AWS Fargate is a serverless compute engine for containers that works with Amazon ECS and Amazon EKS. Fargate removes the need to provision and manage servers, but it also limits the ability to tune the operating system-level parameters, which is a requirement in the scenario. Moreover, Fargate does not support HAProxy and Varnish Cache as sidecar containers, which are needed to run the application properly.

Option B is incorrect because AWS Elastic Beanstalk is a fully managed service that automates the deployment and scaling of web applications and services using familiar servers such as Apache, Nginx, Passenger, and IIS. However, Elastic Beanstalk does not support HAProxy and Varnish Cache as part of the Tomcat solution stack, which are needed to run the application properly. Moreover, Elastic Beanstalk web server tier environments are designed to serve HTTP requests, not to process background tasks, which is the purpose of worker tier environments.

Option C is incorrect because AWS Elastic Beanstalk worker tier environments are designed to process background tasks using a daemon process that runs on each Amazon EC2 instance in the environment. Worker tier environments are not suitable for running web applications that serve HTTP requests, which is the case in the scenario. Moreover, Elastic Beanstalk does not support HAProxy and Varnish Cache as part of the Tomcat solution stack, which are needed to run the application properly.

AWS CodeCommit

AWS CodeDeploy

AWS CodePipeline

Amazon EC2 Auto Scaling

AWS Fargate

AWS Elastic Beanstalk

Option A is the most correct because it provides both : (1) automated patching and (2) compliance monitoring/enforcement across a fleet, using AWS-native services built for exactly this purpose.

AWS Systems Manager Patch Manager is designed to automate patching of managed instances using patch baselines , maintenance windows (or on-demand), and it produces compliance status for patching. It’s the standard AWS service to apply OS/security patches at scale without SSH’ing into instances.

AWS Config can be used to evaluate and track compliance over time against defined rules, giving centralized visibility and continuous compliance assessment. With remediation , Config can invoke Systems Manager Automation documents to correct non-compliant resources or trigger patch actions (depending on the rule/remediation design). This meets the “monitor and enforce” requirement.

Why the other options don’t meet requirements as well:

B is manual, doesn’t scale well, and increases operational risk (key management, human error). It’s not “automated monitoring and enforcement.”

C (replacing instances with new AMIs) can be part of an immutable infrastructure strategy, but by itself it does not provide compliance monitoring across the current fleet, and scaling policies based on CloudWatch metrics are unrelated to patch compliance. Also, patch cadence would depend on AMI pipelines and instance rotation rather than direct compliance enforcement.

D is operationally heavy and mismatched: CloudTrail records API activity; it does not natively provide “patch compliance” status for instance OS packages. Recreating instances via CloudFormation for every patch is not an efficient or standard enforcement mechanism for patch compliance.

You can run custom recipes manually, but the best approach is usually to have AWS OpsWorks Stacks run them automatically. Every layer has a set of built-in recipes assigned each of five lifecycle events—Setup, Configure, Deploy, Undeploy, and Shutdown. Each time an event occurs for an instance, AWS OpsWorks Stacks runs the associated recipes for each of the instance ' s layers, which handle the corresponding tasks. For example, when an instance finishes booting, AWS OpsWorks Stacks triggers a Setup event. This event runs the associated layer ' s Setup recipes, which typically handle tasks such as installing and configuring packages

AWS CodeDeploy supports automatic rollback capabilities, which allow the deployment to automatically revert to the last known good revision if a failure occurs during the deployment or if health checks fail.

You can enable automatic rollback on CodeDeploy deployments by configuring rollback settings in the deployment group.

Automatic rollback triggers can include failed deployments and alarms failing during the deployment lifecycle, which means if the health check fails, CodeDeploy will automatically roll back without manual intervention.

Lifecycle event hooks (Option A) provide custom scripting capabilities during deployment but do not provide built-in rollback automation.

CloudFormation (Option B) can deploy and manage infrastructure but does not control CodeDeploy rollback.

CloudWatch alarms (Option C) can trigger notifications but require manual or additional automation to trigger rollback. Hence, enabling CodeDeploy’s automatic rollback settings is the simplest and most reliable method for automatic rollback upon health check failure.

Reference from AWS Official Documentation and Study Guide:

AWS CodeDeploy Automatic Rollback: " You can configure automatic rollback in AWS CodeDeploy to roll back a deployment if it fails or if specified CloudWatch alarms are triggered. " (AWS CodeDeploy User Guide - Automatic Rollbacks)

AWS Certified DevOps Engineer Professional Study Guide: " Leverage CodeDeploy automatic rollback features to reduce downtime and ensure application stability during deployments. "

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

https://aws.amazon.com/about-aws/whats-new/2020/02/aws-cloudformation-stacksets-introduces-automatic-deployments-across-accounts-and-regions-through-aws-organizations/

AWS Device Farm provides a fully managed environment for automated and manual app testing across real physical devices. It integrates directly with AWS CodePipeline and automatically scales based on test concurrency. AWS documentation recommends Device Farm for mobile app testing due to its scalability and zero infrastructure management.

To meet the requirements of ensuring that flow logs remain configured for all existing and new VPCs in the AWS account, the company should use AWS Config and automatic remediation. AWS Config is a service that enables customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Config continuously monitors and records the configuration changes of the AWS resources and evaluates them against desired configurations. Customers can use AWS Config rules to define the desired configuration state of their AWS resources and trigger actions when a resource configuration violates a rule.

One of the AWS Config rules that customers can use is vpc-flow-logs-enabled, which checks whether VPC flow logs are enabled for all VPCs in an AWS account. Customers can also configure automatic remediation for this rule, which means that AWS Config will automatically enable VPC flow logs for any VPCs that do not have them enabled. Customers can specify the destination (CloudWatch Logs or S3) and the traffic type (all, accept, or reject) for the flow logs as remediation parameters. By using AWS Config and automatic remediation, the company can ensure that flow logs remain configured for all existing and new VPCs in its AWS account, regardless of who creates them or how they are created.

The other options are not correct because they do not meet the requirements or follow best practices. Adding the resource to the CloudFormation stack that creates the VPCs is not a sufficient solution because it will only work for VPCs that are created by using the CloudFormation stack. It will not work for VPCs that are created by using other methods, such as the console or the API. Creating an organization in AWS Organizations and creating an SCP to prevent users from modifying VPC flow logs is not a good solution because it will not ensure that flow logs are enabled for all VPCs in the first place. It will only prevent users from disabling or changing flow logs after they are enabled. Creating an IAM policy to deny the use of API calls for VPC flow logs and attaching it to all IAM users is not a valid solution because it will prevent users from enabling or disabling flow logs at all. It will also not work for VPCs that are created by using other methods, such as the console or CloudFormation.

1: AWS::EC2::FlowLog - AWS CloudFormation

2: Amazon VPC Flow Logs extends CloudFormation Support to custom format subscriptions, 1-minute aggregation intervals and tagging

3: Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud

About AWS Config - AWS Config

vpc-flow-logs-enabled - AWS Config

Remediate Noncompliant Resources with AWS Config Rules - AWS Config

A (S3 RTC) is required to meet the “replicated within 15 minutes” requirement in a verifiable way. Replication Time Control is the S3 feature that provides a 15-minute replication time SLA for replicated objects (instead of “best effort” replication timing).

B (S3 Multi-Region Access Point, active-passive) provides the most operationally efficient failover approach. An MRAP gives you a single global access point for S3 across Regions and supports controlled routing to the chosen bucket, avoiding custom DNS logic per application/client.

C (SubmitMultiRegionAccessPointRoutes) is the mechanism to perform failover for an MRAP by changing which Regional bucket is routed for the Multi-Region Access Point. This gives an explicit, API-driven “fail over now” action aligned with active-passive routing.

Why the others aren’t part of the “most operationally efficient” three:

D (Transfer Acceleration) optimizes upload/download performance over long distances , but it does not guarantee cross-Region replication within 15 minutes and doesn’t provide failover control.

E and F (Route 53 ARC) : ARC is great for controlling failover for endpoints behind routing controls, but for S3 bucket access the more direct and operationally simple approach is S3 Multi-Region Access Points with route updates via the S3 API. Using ARC here adds extra components/process compared to MRAP-native routing control.

https://aws.amazon.com/es/blogs/devops/complete-ci-cd-with-aws-codecommit-aws-codebuild-aws-codedeploy-and-aws-codepipeline/