Amazon Web Services DOP-C02 Practice Test Questions Answers

CloudWatch metric filters can parse logs directly to create metrics without additional infrastructure.

Metric filters combined with CloudWatch dashboards provide the simplest and most operationally efficient solution.

Options A, B, and D add complexity with additional services (OpenSearch, Lambda, Kinesis).

Deployment of config.txt file based on the appspec.yml:

The appspec.yml file specifies that config/config.txt should be copied to /usr/local/src/config.txt.

The source: / directive in the appspec.yml indicates that the entire directory structure starting from the root of the application source should be copied to the specified destination, which is /var/www/html.

Result of the Deployment:

The config.txt file will be specifically deployed to /usr/local/src/config.txt as per the explicit file mapping.

The entire directory structure including application/web will be copied to /var/www/html, but this does not include config/config.txt since it has a specific destination defined.

Thus, the config.txt file will be deployed only to /usr/local/src/config.txt.

Therefore, the correct answer is:

C. The config.txt file will be deployed to only /usr/local/src/config.txt.

Amazon EventBridge can directly consume AWS Health events as an event source. You can specify event types such as “AWS_EC2_INSTANCE_RETIREMENT_SCHEDULED” or “AWS_EC2_INSTANCE_TERMINATION_SCHEDULED.” The rule’s target should invoke the Systems Manager Automation document (runbook) AWS-RestartEC2Instance to automate the restart within a defined maintenance window. This event-driven automation pattern is described in AWS documentation: “Automating AWS Health event remediation using EventBridge and Systems Manager.”

Step 1: Using Service Control Policies (SCPs) for EC2 SecurityTo limit the use of EC2 instance credentials to the specific EC2 instance they are assigned to, you can create a Service Control Policy (SCP) that verifies specific conditions, such as whether the EC2 instance's source VPC and private IP match expected values.

Action: Create an SCP that checks whether the values of the aws:EC2InstanceSourceVPC and aws:SourceVpc condition keys are the same. Deny access if they are not.

Why: This ensures that credentials cannot be used outside the designated EC2 instance or VPC.

Step 2: Further Validation with Private IPsThe SCP should also verify that the EC2 instance's private IP matches the IP range specified for the VPC. If the instance's private IP does not match, access should be denied.

Action: In the same SCP, check whether the values of the aws:EC2InstanceSourcePrivateIP and aws:VpcSourceIP condition keys are the same. Deny access if they are not.

Why: This ensures that the credentials are only used within the specific EC2 instance and its associated VPC.

Accessing a secret from AWS Secrets Manager that is encrypted with a customer managed KMS key requires two distinct permission layers to succeed:

Secrets Manager permissions (via IAM) such as secretsmanager:GetSecretValue for the IAM role assumed by the Kubernetes service account.

KMS key usage permissions in the KMS key policy, allowing the same IAM principal to perform kms:Decrypt (and possibly kms:GenerateDataKey) on the customer managed key.

In this scenario, the service account assumes an IAM role explicitly created to access the secrets. The symptom is an HTTP 403 “Access Denied” when retrieving the secret. If the IAM role has Secrets Manager permissions but the call still fails, the typical root cause is that the KMS key policy does not trust or allow that IAM role, so the decrypt operation fails.

Option B correctly identifies that the KMS key policy must include the Kubernetes service account IAM role as a principal with the appropriate KMS actions.

Option A and C refer to the EKS cluster IAM role, which is not the principal making the call. Option D is unrelated: the role’s ability to “access the EKS cluster” does not affect its ability to call Secrets Manager or KMS. The missing KMS key policy permission is the underlying cause.