DOP-C01 : AWS DevOps Engineer Professional : Part 09

DOP-C01 : AWS DevOps Engineer Professional : Part 09

DOP-C01 : AWS DevOps Engineer Professional : Part 09

  1. A company’s application is currently deployed to a single AWS Region. Recently, the company opened a new office on a different continent. The users in the new office are experiencing high latency. The company’s application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses Amazon DynamoDB as the database layer. The instances run in an EC2 Auto Scaling group across multiple Availability Zones. A DevOps Engineer is tasked with minimizing application response times and improving availability for users in both Regions.

    Which combination of actions should be taken to address the latency issues? (Choose three.)

    • Create a new DynamoDB table in the new Region with cross-Region replication enabled.
    • Create new ALB and Auto Scaling group global resources and configure the new ALB to direct traffic to the new Auto Scaling group.
    • Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group.
    • Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB.
    • Create Amazon Route 53 aliases, health checks, and failover routing policies to route to the ALB.
    • Convert the DynamoDB table to a global table.

  2. A security review has identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The Security team does not allow unauthenticated requests to S3 buckets for this project.

    How can this issue be corrected in the MOST secure manner?

    • Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the AWS CLI to download the database population script.
    • Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token and download the database population script.
    • Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script.
    • Remove unauthenticated access from the S3 bucket with a bucket policy. Use the AWS CLI to download the database population script using an IAM access key and a secret access key.

  3. A DevOps Engineer is deploying an Amazon API Gateway API with an AWS Lambda function providing the backend functionality. The Engineer needs to record the source IP address and response status of every API call.

    Which combination of actions should the DevOps Engineer take to implement this functionality? (Choose three.)

    • Configure AWS X-Ray to enable access logging for the API Gateway requests.
    • Configure the API Gateway stage to enable access logging and choose a logging format.
    • Create a new Amazon CloudWatch Logs log group or choose an existing log group to store the logs.
    • Grant API Gateway permission to read and write logs to Amazon CloudWatch through an IAM role.
    • Create a new Amazon S3 bucket or choose an existing S3 bucket to store the logs.
    • Configure API Gateway to stream its log data to Amazon Kinesis.

  4. A DevOps Engineer at a startup cloud-based gaming company has the task of formalizing deployment strategies. The strategies must meet the following requirements:
    – Use standard Git commands, such as git clone and git push for the code repository.
    – Management tools should maximize the use of platform solutions where possible.
    – Deployment packages must be immutable and in the form of Docker images.

    How can the Engineer meet these requirements?

    • Use AWS CodePipeline to trigger a build process when software is pushed to a self-hosted GitHub repository. CodePipeline will use a Jenkins build server to build new Docker images. CodePipeline will deploy into a second target group in Amazon ECS behind an Application Load Balancer. Cutover will be managed by swapping the listener rules on the Application Load Balancer.
    • Use AWS CodePipeline to trigger a build process when software is pushed to a private GitHub repository. CodePipeline will use AWS CodeBuild to build new Docker images. CodePipeline will deploy into a second target group in Amazon ECS behind an Application Load Balancer. Cutover will be managed by swapping the listener rules on the Application Load Balancer.
    • Use a Jenkins pipeline to trigger a build process when software is pushed to a private GitHub repository. AWS CodePipeline will use AWS CodeBuild to build new Docker images. CodePipeline will deploy into a second target group in Amazon ECS behind an Application Load Balancer. Cutover will be managed by swapping the listener rules on the Application Load Balancer.
    • Use AWS CodePipeline to trigger a build process when software is pushed to an AWS CodeCommit repository. CodePipeline will use an AWS CodeBuild build server to build new Docker images. CodePipeline will deploy into a second target group in a Kubernetes Cluster hosted on Amazon EC2 behind an Application Load Balancer. Cutover will be managed by swapping the listener rules on the Application Load Balancer.

  5. An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). A DevOps Engineer is using AWS CodeDeploy to release a new version. The deployment fails during the AllowTraffic lifecycle event, but a cause for the failure is not indicated in the deployment logs.

    What would cause this?

    • The appspec.yml file contains an invalid script to execute in the AllowTraffic lifecycle hook.
    • The user who initiated the deployment does not have the necessary permissions to interact with the ALB.
    • The health checks specified for the ALB target group are misconfigured.
    • The CodeDeploy agent was not installed in the EC2 instances that are part of the ALB target group.

  6. A company is deploying a container-based application using AWS CodeBuild. The Security team mandates that all containers are scanned for vulnerabilities prior to deployment using a password-protected endpoint. All sensitive information must be stored securely.

    Which solution should be used to meet these requirements?

    • Encrypt the password using AWS KMS. Store the encrypted password in the buildspec.yml file as an environment variable under the variables mapping. Reference the environment variable to initiate scanning.
    • Import the password into an AWS CloudHSM key. Reference the CloudHSM key in the buildpec.yml file as an environment variable under the variables mapping. Reference the environment variable to initiate scanning.
    • Store the password in the AWS Systems Manager Parameter Store as a secure string. Add the Parameter Store key to the buildspec.yml file as an environment variable under the parameter-store mapping. Reference the environment variable to initiate scanning.
    • Use the AWS Encryption SDK to encrypt the password and embed in the buildspec.yml file as a variable under the secrets mapping. Attach a policy to CodeBuild to enable access to the required decryption key.

  7. A DevOps Engineer must ensure all IAM entity configurations across multiple AWS accounts in AWS Organizations are compliant with corporate IAM policies.

    Which combination of steps will accomplish this? (Choose two.)

    • Enable AWS Trusted Advisor in Organizations for all accounts to report on noncompliant IAM entities.
    • Configure an AWS Config aggregator in the Organizations master account for all accounts.
    • Deploy AWS Config rules to the master account in Organizations that match corporate IAM policies.
    • Apply an SCP in Organizations to ensure compliance of IAM entities.
    • Deploy AWS Config rules to all accounts in Organizations that match the corporate IAM policies.

  8. A company has thousands of Amazon EC2 instances as well as hundreds of virtual machines on-premises. Developers routinely sign in to the console for on-premises systems to perform troubleshooting. The Developers want to sign in to AWS instances to run performance tools, but are unable to due to the lack of a central console logging system. A DevOps Engineer wants to ensure that console access is logged on all systems.

    Which combination of steps will meet these requirements? (Choose two.)

    • Attach a role to all AWS instances that contains the appropriate permissions. Create an AWS Systems Manager managed-instance activation. Install and configure Systems Manager Agent on on-premises machines.
    • Enable AWS Systems Manager Session Manager logging to an Amazon S3 bucket. Direct Developers to connect to the systems with Session Manager only.
    • Enable AWS Systems Manager Session Manager logging to AWS CloudTrail. Direct Developers to continue normal sign-in procedures for on-premises. Use Session Manager for AWS instances.
    • Install and configure an Amazon CloudWatch Logs agent on all systems. Create an AWS Systems Manager managed-instance activation.
    • Set up a Site-to-Site VPN connection between the on-premises and AWS networks. Set up a bastion instance to allow Developers to sign in to the AWS instances.

  9. A DevOps team wants to be able to work on the same source code repository. The team has the following requirements for their development workflow and repository access controls:

    – Only team members can clone the repository and create new branches.
    – A production-ready code state should be isolated from any untested code changes.
    – Code changes should be approved by another team member before merging to the production-ready master branch.
    – All code change approvals must have an audit record.
    – New team members can quickly modify code.

    Which combination of actions will these requirements? (Choose three.)

    • Check out the master branch and develop new features locally on a feature branch to keep the production-ready code isolated. Ask team members to review the changes before committing the changes locally.
    • Create an AWS CodeCommit repository and an IAM group with permissions to read/write changes to the repository. Add new team members to this group.
    • Create an AWS CodeCommit repository and an IAM role with permissions to read/write changes to the repository. Attach this IAM role to a single IAM user. Ensure each member of the team uses this IAM user. Provide new team members the credentials to this IAM user.
    • Create a local feature branch from the master branch for new features. Commit the new code and push the changes to the feature branch in the repository.
    • Create a pull request so other team members can review the code changes. Implement any suggestions, pull any additional changes from the master branch, and push to the feature branch again. Merge the master branch with the feature branch.
    • Create a pull request so other team members can review the code changes. Implement any suggestions, pull any additional changes from the master branch, resolve any conflicts, and push to the feature branch again. Merge the feature branch with the master branch.

  10. A company has a web application that uses an Amazon DynamoDB table in a single AWS Region to store user information. To support an increasingly global user base, the application must run in a secondary Region and allow users to connect to their closest Region and fail over to the secondary Region.

    Which approach should be used to ensure the deployment meets these requirements?

    • Configure DynamoDB streams to copy data between Regions, deploy the web stack in both Regions, and configure Amazon Route 53 to use a geoproximity routing policy with health checks.
    • Convert the DynamoDB table to a global table, deploy the web stack in both Regions, and configure Amazon Route 53 to use a geoproximity routing policy with health checks.
    • Define DynamoDB cross-region backups to copy data to the secondary Region, deploy the web stack in both Regions, and configure Amazon Route 53 to use a latency-based routing policy with health checks.
    • Use DynamoDB Accelerator to copy data to the secondary Region, deploy the web stack in both Regions, and configure Amazon Route 53 to use a failover routing policy.

  11. An ecommerce company uses a large number of Amazon EBS backed Amazon EC2 instances. To decrease manual work across all the instances, a DevOps Engineer is tasked with automating restart actions when EC2 instance retirement events are scheduled.

    How can this be accomplished?

    • Create a scheduled Amazon CloudWatch Events rule to execute an AWS Systems Manager automation document that checks if any EC2 instances are scheduled for retirement once a week. If the instance is scheduled for retirement, the automation document will hibernate the instance.
    • Enable EC2 Auto Recovery on all of the instances. Create an AWS Config rule to limit the recovery to occur during a maintenance window only.
    • Reboot all EC2 instances during an approved maintenance window that is outside of standard business hours. Set up Amazon CloudWatch alarms to send a notification in case any instance is failing EC2 instance status checks.
    • Set up an AWS Health Amazon CloudWatch Events rule to execute AWS Systems Manager automation documents that stop and start the EC2 instance when a retirement scheduled event occurs.

  12. A company has containerized all of its in-house quality control applications. The company is running Jenkins on Amazon EC2, which requires patching and upgrading. The Compliance Officer has requested a DevOps Engineer begin encrypting build artifacts since they contain company intellectual property.

    What should the DevOps Engineer do to accomplish this in the MOST maintainable manner?

    • Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt Amazon EBS volumes by default.
    • Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with default encryption enabled.
    • Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets Manager.
    • Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on Amazon EC2.

  13. A DevOps Engineer is setting up a container-based architecture. The Engineer has decided to use AWS CloudFormation to automatically provision an Amazon ECS cluster and an Amazon EC2 Auto Scaling group to launch the EC2 container instances. After successfully creating the CloudFormation stack, the Engineer noticed that, even though the ECS cluster and the EC2 instances were created successfully and the stack finished the creation, the EC2 instances were associating with a different cluster.

    How should the DevOps Engineer update the CloudFormation template to resolve this issue?

    • Reference the EC2 instances in the AWS::ECS::Cluster resource and reference the ECS cluster in the AWS::ECS::Service resource.
    • Reference the ECS cluster in the AWS::AutoScaling::LaunchConfiguration resource of the UserData property.
    • Reference the ECS cluster in the AWS::EC2::Instance resource of the UserData property.
    • Reference the ECS cluster in the AWS::CloudFormation::CustomResource resource to trigger an AWS Lambda function that registers the EC2 instances with the appropriate ECS cluster.

  14. A company indexes all of its Amazon CloudWatch Logs on Amazon ES and uses Kibana to view a dashboard for actionable insight. The company wants to restrict user access to Kibana by user.

    Which actions can a DevOps Engineer take to meet this requirement? (Choose two.)

    • Create a proxy server with user authentication in an Auto Scaling group, and restrict access of the Amazon ES endpoint to an Auto Scaling group tag.
    • Create a proxy server with user authentication and an Elastic IP address, and restrict access of the Amazon ES endpoint to the IP address.
    • Create a proxy server with AWS IAM user, and restrict access of the Amazon ES endpoint to the IAM user.
    • Use AWS SSO to offer user name and password protection for Kibana.
    • Use Amazon Cognito to offer user name and password protection for Kibana.

  15. A company’s DevOps team launches a WorkSpace using Amazon WorkSpaces for each new user. Recently, the Security team said that WorkSpaces for these new users are not consistently being tagged. Company policy requires that all WorkSpaces be tagged with USERNAME automatically upon creation.

    Which combination of steps should the DevOps Engineer take to address this requirement? (Choose two.)

    • Add an AWS Lambda function policy allowing cloudtrail.amazonaws.com to use the lambda:InvokeFunction action.
    • Create a new Amazon CloudWatch Events event pattern rule based on Amazon WorkSpaces with an AWS API Call via CloudTrail event type. Select the CreateWorkspaces operation, and target an AWS Lambda function that will tag the Workspace.
    • Ensure AWS CloudTrail is enabled in all Regions where WorkSpaces are created.
    • Enable custom tagging for Amazon WorkSpaces from the directory details.
    • Create a new Amazon CloudWatch Events scheduled event rule based on Amazon WorkSpaces with an interval of 1 minute. Target an AWS Lambda function that will tag the Workspace.

  16. A company has a mission-critical application on AWS that uses automatic scaling. The company wants the deployment lifecycle to meet the following parameters:

    • The application must be deployed one instance at a time to ensure the remaining fleet continues to serve traffic.
    • The application is CPU intensive and must be closely monitored.
    • The deployment must automatically roll back if the CPU utilization of the deployment instance exceeds 85%.

    Which solution will meet these requirements?

    • Use AWS CloudFormation to create an AWS Step Functions state machine and Auto Scaling lifecycle hooks to move to one instance at a time into a wait state. Use AWS Systems Manager automation to deploy the update to each instance and move it back into the Auto Scaling group using the heartbeat timeout.
    • Use AWS CodeDeploy with Amazon EC2 Auto Scaling. Configure an alarm tied to the CPU utilization metric. Use the CodeDeployDefault.OneAtAtime configuration as a deployment strategy. Configure automatic rollbacks within the deployment group to roll back the deployment if the alarm thresholds are breached.
    • Use AWS Elastic Beanstalk for load balancing and AWS Auto Scaling. Configure an alarm tied to the CPU utilization metric. Configure rolling deployments with a fixed batch size of one instance. Enable enhanced health to monitor the status of the deployment and roll back based on the alarm previously created.
    • Use AWS Systems Manager to perform a blue/green deployment with Amazon EC2 Auto Scaling. Configure an alarm tied to the CPU utilization metric. Deploy updates one at a time. Configure automatic rollbacks within the Auto Scaling group to roll back the deployment if the alarm thresholds are breached.

  17. A DevOps Engineer is architecting a continuous development strategy for a company’s software as a service (SaaS) web application running on AWS. For application and security reasons, users subscribing to this application are distributed across multiple Application Load Balancers (ALBs), each of which has a dedicated Auto Scaling group and fleet of Amazon EC2 instances. The application does not require a build stage, and when it is committed to AWS CodeCommit, the application must trigger a simultaneous deployment to all ALBs, Auto Scaling groups, and EC2 fleets.

    Which architecture will meet these requirements with the LEAST amount of configuration?

    • Create a single AWS CodePipeline pipeline that deploys the application in parallel using unique AWS CodeDeploy applications and deployment groups created for each ALB-Auto Scaling group pair.
    • Create a single AWS CodePipeline pipeline that deploys the application using a single AWS CodeDeploy application and single deployment group.
    • Create a single AWS CodePipeline pipeline that deploys the application in parallel using a single AWS CodeDeploy application and unique deployment group for each ALB-Auto Scaling group pair.
    • Create an AWS CodePipeline pipeline for each ALB-Auto Scaling group pair that deploys the application using an AWS CodeDeploy application and deployment group created for the same ALB-Auto Scaling group pair.

  18. A DevOps Engineer needs to back up sensitive Amazon S3 objects that are stored within an S3 bucket with a private bucket policy using the S3 cross-region replication functionality. The objects need to be copied to a target bucket in a different AWS Region and account.

    Which actions should be performed to enable this replication? (Choose three.)

    • Create a replication IAM role in the source account.
    • Create a replication IAM role in the target account.
    • Add statements to the source bucket policy allowing the replication IAM role to replicate objects.
    • Add statements to the target bucket policy allowing the replication IAM role to replicate objects.
    • Create a replication rule in the source bucket to enable the replication.
    • Create a replication rule in the target bucket to enable the replication.

  19. A company is running an application on Amazon EC2 instances in an Auto Scaling group. Recently, an issue occurred that prevented EC2 instances from launching successfully, and it took several hours for the Support team to discover the issue. The Support team wants to be notified by email whenever an EC2 instance does not start successfully.

    Which action will accomplish this?

    • Add a health check to the Auto Scaling group to invoke an AWS Lambda function whenever an instance status is impaired.
    • Configure the Auto Scaling group to send a notification to an Amazon SNS topic whenever a failed instance launch occurs.
    • Create an Amazon CloudWatch alarm that invokes an AWS Lambda function when a failed AttachInstances Auto Scaling API call is made.
    • Create a status check alarm on Amazon EC2 to send a notification to an Amazon SNS topic whenever a status check fail occurs.

  20. A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps Engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours.

    Which combination of actions will meet these requirements? (Choose three.)

    • Add the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations.
    • Attach an IAM role to the EC2 instances, allowing them to be managed by AWS Systems Manager.
    • Create IAM access keys for the on-premises machines to interact with AWS Systems Manager.
    • Execute an AWS Systems Manager Automation document to patch the systems every hour.
    • Use Amazon CloudWatch Events scheduled events to schedule a patch window.
    • Use AWS Systems Manager Maintenance Windows to schedule a patch window.