100% Free Amazon DOP-C02 Practice Test Questions

Question 1

A company is using AWS to run digital workloads. Each application team in the company has its own AWS account for application hosting. The accounts are consolidated in an organization in AWS Organizations. The company wants to enforce security standards across the entire organization. To avoid noncompliance because of security misconfiguration, the company has enforced the use of AWS CloudFormation. A production support team can modify resources in the production environment by using the AWS Management Console to troubleshoot and resolve application-related issues. A DevOps engineer must implement a solution to identify in near real time any AWS service misconfiguration that results in noncompliance. The solution must automatically remediate the issue within 15 minutes of identification. The solution also must track noncompliant resources and events in a centralized dashboard with accurate timestamps. Which solution will meet these requirements with the LEAST development overhead?

A : Use CloudFormation drift detection to identify noncompliant resources. Use drift detection events from CloudFormation to invoke an AWS Lambda function for remediation. Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group. Configure an Amazon CloudWatch dashboard to use the log group for tracking.

B : Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon Athena to identify noncompliant resources. Use AWS Step Functions to track query results on Athena for drift detection and to invoke an AWS Lambda function for remediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena as the data source.

C : Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the ~no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.

D : Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logs filters for drift detection. Use Amazon EventBridge to invoke the Lambda function for remediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up a dashboard on OpenSearch Service for tracking.

Answer: C

Question 2

A company deploys an application to Amazon EC2 instances. The application runs Amazon Linux 2 and uses AWS CodeDeploy. The application has the following file structure for its code repository:

The appspec.yml file has the following contents in the files section:

What will the result be for the deployment of the config.txt file?

A : The config.txt file will be deployed to only /var/www/html/config/config.txt.

B : The config.txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/config/config.txt.

C : The config.txt file will be deployed to only /usr/local/src/config.txt.

D : The config.txt file will be deployed to /usr/local/src/config.txt and to /var/www/html/application/web/config.txt.

Answer: C

Question 3

A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub.

Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source.

Which solution will meet these requirements?

A : A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create an AWS Lambda function that will update the threat list. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

B : Configure an AWS WAF web ACL that includes a custom rule group. Create an AWS Lambda function that will create a block rule in the custom rule group. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

C : Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that will create a Drop action rule in the firewall policy. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty

D : Create an AWS Lambda function that will create a GuardDuty suppression rule. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

Answer: B

Question 4

A company uses a single AWS account to test applications on Amazon EC2 instances. The company has turned on AWS Config in the AWS account and has activated the restricted-ssh AWS Config managed rule.

The company needs an automated monitoring solution that will provide a customized notification in real time if any security group in the account is not compliant with the restricted-ssh rule. The customized notification must contain the name and ID of the noncompliant security group.

A DevOps engineer creates an Amazon Simple Notification Service (Amazon SNS) topic in the account and subscribes the appropriate personnel to the topic.

What should the DevOps engineer do next to meet these requirements?

A : Create an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge rule. Configure the EventBridge rule to publish a notification to the SNS topic.

B : Configure AWS Config to send all evaluation results for the restricted-ssh rule to the SNS topic. Configure a filter policy on the SNS topic to send only notifications that contain the text of NON_COMPLIANT in the notification to subscribers.

C : Create an Amazon EventBridge rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure the EventBridge rule to invoke AWS Systems Manager Run Command on the SNS topic to customize a notification and to publish the notification to the SNS topic.

D : Create an Amazon EventBridge rule that matches all AWS Config evaluation results of NON_COMPLIANT. Configure an input transformer for the restricted-ssh rule. Configure the EventBridge rule to publish a notification to the SNS topic.

Answer: A

Question 5

An enterprise resource planning application is hosted in an Auto Scaling group of EC2 instances behind an Application Load Balancer which uses an Amazon DynamoDB table as its data store. For the application’s reporting module, there are five Lambda functions which are reading from the DynamoDB Streams of the table to count the number of products, monitor the inventory, generate reports, move new items to a Kinesis Data Firehose for analytics, and many more. The operations team discovered that in peak times, the Lambda functions are getting a stream throttling error and some of the requests fail which affects the performance of the reporting module.

Which of the following is the MOST scalable and cost-effective solution with the LEAST amount of operational overhead?

A : Refactor your architecture to use Amazon Kinesis Adapter for real-time processing of streaming data at a massive scale instead of directly consuming the stream using Lambda. Re-architect the reporting module to use Amazon Kinesis Data Analytics.

B : Use the Amazon CodeGuru service to optimize the codebase of the reporting module. Create a new global secondary index (GSI) in the DynamoDB table to improve the performance of the queries. Increase the allocated RCU of the table. Disable the Amazon DynamoDB streams and refactor the Lambda functions to directly query from the table. Refactor the reporting module to use Amazon Kinesis Data Analytics.

C : Create a new local secondary index (LSI) in the DynamoDB table to improve the performance of the queries. Double the allocated RCU of the table. Refactor the Lambda functions to directly query from the table and disable the DynamoDB streams. Increase the concurrency limits of each Lambda function to avoid throttling errors and set the ParallelizationFactor to 10. Re-architect the reporting module to use Amazon Kinesis Data Analytics.

D : Delete all of the Lambda functions and move all of the processing on an Amazon ECS Cluster with Auto Scaling enabled using AWS App Runner. Set up AWS Glue to consume the DynamoDB stream which will be processed by ECS. Re-factor the reporting module to use Amazon Kinesis Data Analytics.

Answer: A

Free Practice Amazon DOP-C02 Exam Questions 2025