DOP-C01 : AWS DevOps Engineer Professional : Part 12

  1. An application running on multiple Amazon EC2 instances pulls messages from a standard Amazon SQS queue. A requirement for the application is that all messages must be encrypted at rest.

    Developers are instructed to use methods that allow for centralized key management and minimize possible support requirements whenever possible.

    Which of the following solutions supports these requirements?

    • Encrypt individual messages by using client-side encryption with customer managed keys, then write to the SQS queue.
    • Encrypt individual messages by using SQS Extended Client and the Amazon S3 encryption client.
    • Create an SQS queue, and encrypt the queue by using server-side encryption with AWS KMS.
    • Create an SQS queue, and encrypt the queue by using client-side encryption.
  2. A developer tested an application locally and then deployed it to AWS Lambda. While testing the application remotely, the Lambda function fails with an access denied message.

    How can this issue be addressed?

    • Update the Lambda function’s execution role to include the missing permissions.
    • Update the Lambda function’s resource policy to include the missing permissions.
    • Include an IAM policy document at the root of the deployment package and redeploy the Lambda function.
    • Redeploy the Lambda function using an account with access to the AdministratorAccess policy.
  3. The development team is creating a social media game which ranks users on a scoreboard. The current implementation uses an Amazon RDS for MySQL database for storing user data; however, the game cannot display scores quickly enough during performance testing.

    Which service would provide the fastest retrieval times?

    • Migrate user data to Amazon DynamoDB for managing content.
    • Use AWS Batch to compute and deliver user and score content.
    • Deploy Amazon CloudFront for user and score content delivery.
    • Set up Amazon ElastiCache to deliver user and score content.
  4. A developer has written an application that writes data to Amazon DynamoDB. The DynamoDB table has been configured to use conditional writes. During peak usage times, writes are failing due to a ConditionalCheckFailedException error.

    How can the developer increase the application’s reliability when multiple clients are attempting to write to the same record?

    • Write the data to an Amazon SNS topic.
    • Increase the amount of write capacity for the table to anticipate short-term spikes or bursts in write operations.
    • Implement a caching solution, such as DynamoDB Accelerator or Amazon ElastiCache.
    • Implement error retries and exponential backoff with jitter.
  5. A company uses federated access for its AWS environment. The company creates and manages IAM roles by using AWS CloudFormation from a CI/CD pipeline. All changes should be made to the IAM roles through the pipeline.

    The company’s security team discovers that out-of-band changes are being made to the IAM roles. The security team needs a way to detect when these out-of-band changes occur.

    What should a DevOps engineer do to meet this requirement?

    • Use Amazon Inspector rules to detect and notify when an AWS CloudFormation stack has a configuration change.
    • Use AWS Trusted Advisor to detect and notify when an AWS CloudFormation stack has a configuration change.
    • Use AWS CloudTrail to detect and notify when an AWS CloudFormation stack detects a configuration change.
    • Use an AWS Config rule to detect and notify when AWS CloudFormation drift detection identifies a configuration change.
  6. An application running on a set of Amazon EC2 instances in an Auto Scaling group requires a configuration file to operate. The instances are created and maintained with AWS CloudFormation. A DevOps engineer wants the instances to have the latest configuration file when launched, and wants changes to the configuration file to be reflected on all the instances with a minimal delay when the CloudFormation template is updated. Company policy requires that application configuration files be maintained along with AWS infrastructure configuration files in source control.

    Which solution will accomplish this?

    • In the CloudFormation template, add an AWS Config rule. Place the configuration file content in the rule’s InputParameters property, and set the Scope property to the EC2 Auto Scaling group. Add an AWS Systems Manager Resource Data Sync resource to the template to poll for updates to the configuration.
    • In the CloudFormation template, add an EC2 launch template resource. Place the configuration file content in the launch template. Configure the cfn-init script to run when the instance is launched, and configure the cfn-hup script to poll for updates to the configuration.
    • In the CloudFormation template, add an EC2 launch template resource. Place the configuration file content in the launch template. Add an AWS Systems Manager Resource Data Sync resource to the template to poll for updates to the configuration.
    • In the CloudFormation template, add Cloud Formation init metadata. Place the configuration file content in the metadata. Configure the cfn-init script to run when the instance is launched, and configure the cfn-hup script to poll for updates to the configuration.
  7. A company is using AWS CodeCommit as its source code repository. After an internal audit, the compliance team mandates that any code change that go into the master branch must be committed by senior developers.

    Which solution will meet these requirements?

    • Create two repositories in CodeCommit: one for working and another for the master. Create separate IAM groups for senior developers and developers. Assign the resource-level permissions on the repositories tied to the IAM groups. After the code changes are reviewed, sync the approved files to the master code commit repository.
    • Create a repository in CodeCommit. Create separate IAM groups for senior developers and developers. Assign code commit permissions for both groups, with code merge permissions for the senior developers group. Create a trigger to notify senior developers with a URL link to approve or deny commit requests delivered through Amazon SNS. Once a senior developer approves the code, the code gets merged to the master branch.
    • Create a repository in CodeCommit with a working and master branch. Create separate IAM groups for senior developers and developers. Use an IAM policy to assign each IAM group their corresponding branches. Once the code is merged to the working branch, senior developers can pull the changes from the working branch to the master branch.
    • Create a repository in CodeCommit. Create separate IAM groups for senior developers and developers. Use AWS Lambda triggers on the master branch and get the user name of the developer at the event object of the Lambda function. Validate the user name with the IAM group to approve or deny the commit.
  8. A DevOps engineer used an AWS CloudFormation custom resource to set up AD Connector. The AWS Lambda function executed and created AD Connector, but CloudFormation is not transitioning from CREATE_IN_PROGRESS to CREATE_COMPLETE.

    Which action should the engineer take to resolve this issue?

    • Ensure the Lambda function code has exited successfully.
    • Ensure the Lambda function code returns a response to the pre-signed URL.
    • Ensure the Lambda function IAM role has cloudformation:UpdateStack permissions for the stack ARN.
    • Ensure the Lambda function IAM role has ds:ConnectDirectory permissions for the AWS account.
  9. A DevOps engineer is tasked with creating a more stable deployment solution for a web application in AWS. Previous deployments have resulted in user-facing bugs, premature user traffic, and inconsistencies between web servers running behind an Application Load Balancer. The current strategy uses AWS CodeCommit to store the code for the application. When developers push to the master branch of the repository, CodeCommit triggers an AWS Lambda deploy function, which invokes an AWS Systems Manager run command to build and deploy the new code to all Amazon EC2 instances.

    Which combination of actions should be taken to implement a more stable deployment solution? (Choose two.)

    • Create a pipeline in AWS CodePipeline with CodeCommit as a source provider. Create parallel pipeline stages to build and test the application. Pass the build artifact to AWS CodeDeploy.
    • Create a pipeline in AWS CodePipeline with CodeCommit as a source provider. Create separate pipeline stages to build and then test the application. Pass the build artifact to AWS CodeDeploy.
    • Create and use an AWS CodeDeploy application and deployment group to deploy code updates to the EC2 fleet. Select the Application Load Balancer for the deployment group.
    • Create individual Lambda functions to run all build, test, and deploy actions using AWS CodeDeploy instead of AWS Systems Manager.
    • Modify the Lambda function to build a single application package to be shared by all instances. Use AWS CodeDeploy instead of AWS Systems Manager to update the code on the EC2 fleet.
  10. A company uses AWS Storage Gateway in file gateway mode in front of an Amazon S3 bucket that is used by multiple resources. In the morning when business begins, users do not see the objects processed by a third party the previous evening. When a DevOps engineer looks directly at the S3 bucket, the data is there, but it is missing in Storage Gateway.

    Which solution ensures that all the updated third-party files are available in the morning?

    • Configure a nightly Amazon EventBridge (Amazon CloudWatch Events) event to trigger an AWS Lambda function to run the RefreshCache command for Storage Gateway.
    • Instruct the third party to put data into the S3 bucket using AWS Transfer for SFTP.
    • Modify Storage Gateway to run in volume gateway mode.
    • Use S3 same-Region replication to replicate any changes made directly in the S3 bucket to Storage Gateway.
  11. A company’s legacy application uses IAM user credentials to access resources in the company’s AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

    Which solution will meet these requirements?

    • Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.
    • Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringNotLike for aws:username with a value of the exception list.
    • Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an AWS Lambda function target. The function will check the user name account against an exception list. If the user is not in the exception list, the function will delete the user.
    • Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an AWS Lambda function target. The function will check the user name and account against an exception list. If the user is not in the exception list, the function will delete the user.
  12. A company has an application that is using a MySQL-compatible Amazon Aurora Multi-AZ DB cluster as the database. A cross-Region read replica has been created for disaster recovery purposes. A DevOps engineer wants to automate the promotion of the replica so it becomes the primary database instance in the event of a failure.

    Which solution will accomplish this?

    • Configure a latency-based Amazon Route 53 CNAME with health checks so it points to both the primary and replica endpoints. Subscribe an Amazon SNS topic to Amazon RDS failure notifications from AWS CloudTrail and use that topic to trigger an AWS Lambda function that will promote the replica instance as the master.
    • Create an Aurora custom endpoint to point to the primary database instance. Configure the application to use this endpoint. Configure AWS CloudTrail to run an AWS Lambda function to promote the replica instance and modify the custom endpoint to point to the newly promoted instance.
    • Create an AWS Lambda function to modify the application’s AWS Cloud Formation template to promote the replica, apply the template to update the stack, and point the application to the newly promoted instance. Create an Amazon CloudWatch alarm to trigger this Lambda function after the failure event occurs.
    • Store the Aurora endpoint in AWS Systems Manager Parameter Store. Create an Amazon EventBridge (Amazon CloudWatch Events) event that defects the database failure and runs an AWS Lambda function to promote the replica instance and update the endpoint URL stored in AWS Systems Manager Parameter Store. Code the application to reload the endpoint from Parameter Store if a database connection fails.
  13. A software company wants to automate the build process for a project where the code is stored in GitHub. When the repository is updated, source code should be compiled, tested, and pushed to Amazon S3.

    Which combination of steps would address these requirements? (Choose three.)

    • Add a buildspec.yml file to the source code with build instructions.
    • Configure a GitHub webhook to trigger a build every time a code change is pushed to the repository.
    • Create an AWS CodeBuild project with GitHub as the source repository.
    • Create an AWS CodeDeploy application with the Amazon EC2/On-Premises compute platform.
    • Create an AWS OpsWorks deployment with the install dependencies command.
    • Provision an Amazon EC2 instance to perform the build.
  14. A DevOps engineer is deploying a new version of a company’s application in an AWS CodeDeploy deployment group associated with its Amazon EC2 instances. After some time, the deployment fails. The engineer realizes that all the events associated with the specific deployment ID are in a Skipped status, and code was not deployed in the instances associated with the deployment group.

    What are valid reasons for this failure? (Choose two.)

    • The networking configuration does not allow the EC2 instances to reach the internet via a NAT gateway or internet gateway, and the CodeDeploy endpoint cannot be reached.
    • The IAM user who triggered the application deployment does not have permission to interact with the CodeDeploy endpoint.
    • The target EC2 instances were not properly registered with the CodeDeploy endpoint.
    • An instance profile with proper permissions was not attached to the target EC2 instances.
    • The appspec.yml file was not included in the application revision.
  15. A company recently migrated its legacy application from on-premises to AWS. The application is hosted on Amazon EC2 instances behind an Application Load Balancer, which is behind Amazon API Gateway. The company wants to ensure users experience minimal disruptions during any deployment of a new version of the application. The company also wants to ensure it can quickly roll back updates if there is an issue.

    Which solution will meet these requirements with MINIMAL changes to the application?

    • Introduce changes as a separate environment parallel to the existing one. Configure API Gateway to use a canary release deployment to send a small subset of user traffic to the new environment.
    • Introduce changes as a separate environment parallel to the existing one. Update the application’s DNS alias records to point to the new environment.
    • Introduce changes as a separate target group behind the existing Application Load Balancer. Configure API Gateway to route user traffic to the new target group in steps.
    • Introduce changes as a separate target group behind the existing Application Load Balancer. Configure API Gateway to route all traffic to the Application Load Balancer, which then sends the traffic to the new target group.
  16. A company runs an application consisting of an AWS CodeDeploy deployment group that uses Auto Scaling and an Application Load Balancer. The application deployments are automated using AWS CodePipeline, which consists of AWS CodeCommit as the source and AWS CodeDeploy as the deployment provider.

    After a recent successful deployment, the application experienced an outage for several minutes until the deployment was manually rolled back. A DevOps engineer verified that the pipeline was successful and did not indicate any errors, but found that the code caused the application to become unresponsive after several hours.

    Which actions will help to prevent future downtime in similar situations? (Choose two.)

    • Configure a TCP health check for the Auto Scaling target group on a listening port of the application.
    • Configure an HTTP or HTTPS health check for the Auto Scaling target group to check a specific application path.
    • Create a script to test the application health and execute the script during the BeforeInstall lifecycle hook in the CodeDeploy appspec.yml file.
    • Update the CodeDeploy deployment group to roll back automatically to the previous version if the deployment fails.
    • Update the CodeDeploy deployment group to roll back based on a custom Amazon CloudWatch alarm using an application status metric.
  17. A DevOps engineer is deploying an AWS Service Catalog portfolio using AWS CodePipeline. The pipeline should create products and templates based on a manifest file in either JSON or YAML, and should enforce security requirements on all AWS Service Catalog products managed through the pipeline.

    Which solution will meet the requirements in an automated fashion?

    • Use the AWS Service Catalog deploy action in AWS CodeDeploy to push new versions of products into the AWS Service Catalog with verification steps in the CodeDeploy AppSpec.
    • Use the AWS Service Catalog deploy action in AWS CodeBuild to verify and push new versions of products into the AWS Service Catalog.
    • Use an AWS Lambda action in CodePipeline to run a Lambda function to verify and push new versions of products into the AWS Service Catalog.
    • Use an AWS Lambda action in AWS CodeBuild to run a Lambda function to verify and push new versions of products into the AWS Service Catalog.
  18. A company wants to use AWS Systems Manager documents to bootstrap physical laptops for developers. The bootstrap code is stored in GitHub. A DevOps engineer has already created a Systems Manager activation, installed the Systems Manager agent with the registration code, and installed an activation ID on all the laptops.

    Which set of steps should be taken next?

    • Configure the Systems Manager document to use the AWS-RunShellScript command to copy the files from GitHub to Amazon S3, then use the aws-downloadContent plugin with a sourceType of S3.
    • Configure the Systems Manager document to use the aws-configurePackage plugin with an install action and point to the Git repository.
    • Configure the Systems Manager document to use the aws-downloadContent plugin with a sourceType of GitHub and sourceInfo with the repository details.
    • Configure the Systems Manager document to use the aws:softwareInventory plugin and run the script from the Git repository.
  19. A company requires its internal business teams to launch resources through pre-approved AWS CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state.

    Which strategy should be used to meet these requirements?

    • Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.
    • Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.
    • Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.
    • Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge (Amazon CloudWatch Events) notifications to detect when resources have drifted from their expected state.
  20. A company requires an RPO of 2 hours and an RTO of 10 minutes for its data and application at all times. An application uses a MySQL database and Amazon EC2 web servers. The development team needs a strategy for failover and disaster recovery.

    Which combination of deployment strategies will meet these requirements? (Choose two.)

    • Create an Amazon Aurora cluster in one Availability Zone across multiple Regions as the data store. Use Aurora’s automatic recovery capabilities in the event of a disaster.
    • Create an Amazon Aurora global database in two Regions as the data store. In the event of a failure, promote the secondary Region as the master for the application.
    • Create an Amazon Aurora multi-master cluster across multiple Regions as the data store. Use a Network Load Balancer to balance the database traffic in different Regions.
    • Set up the application in two Regions and use Amazon Route 53 failover-based routing that points to the Application Load Balancers in both Regions. Use health checks to determine the availability in a given Region. Use Auto Scaling groups in each Region to adjust capacity based on demand.
    • Set up the application in two Regions and use a multi-Region Auto Scaling group behind Application Load Balancers to manage the capacity based on demand. In the event of a disaster, adjust the Auto Scaling group’s desired instance count to increase baseline capacity in the failover Region.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments