DOP-C02 (Page 11)

A company uses a single AWS account to test applications on Amazon EC2 instances.The company has turned on AWS Config in the AWS account and has activated the restricted-ssh AWS Config managed rule.The company needs an automated monitoring solution that will provide a customized notification in real time if any security group in the account is not compliant with the restricted-ssh rule.The customized notification must contain the name and ID of the noncompliant security group.A DevOps engineer creates an Amazon Simple Notification Service (Amazon SNS) topic in the account and subscribes the appropriate personnel to the topic.What should the DevOps engineer do next to meet these requirements?Read More →

A DevOps engineer needs to back up sensitive Amazon S3 objects that are stored within an S3 bucket with a private bucket policy using S3 cross-Region replication functionality.The objects need to be copied to a target bucket in a different AWS Region and account.Which combination of actions should be performed to enable this replication? (Choose three.)Read More →

A company uses AWS Storage Gateway in file gateway mode in front of an Amazon S3 bucket that is used by multiple resources.In the morning when business begins, users do not see the objects processed by a third party the previous evening.When a DevOps engineer looks directly at the S3 bucket, the data is there, but it is missing in Storage Gateway.Which solution ensures that all the updated third-party files are available in the morning?Read More →

A company has a single AWS account that runs hundreds of Amazon EC2 instances in a single AWS Region.New EC2 instances are launched and terminated each hour in the account.The account also includes existing EC2 instances that have been running for longer than a week.The company’s security policy requires all running EC2 instances to use an EC2 instance profile.If an EC2 instance does not have an instance profile attached, the EC2 instance must use a default instance profile that has no IAM permissions assigned.A DevOps engineer reviews the account and discovers EC2 instances that are running without an instance profile.During the review, the DevOps engineer also observes that new EC2 instances are being launched without an instance profile.Which solution will ensure that an instance profile is attached to all existing and future EC2 instances in the Region?Read More →

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States.The engineer must restrict which AWS Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place.The controls should be automatically enabled on any new Region outside the United States (US).Which combination of actions will meet these requirements? (Choose two.)Read More →

A company has 20 service teams.Each service team is responsible for its own microservice.Each service team uses a separate AWS account for its microservice and a VPC with the 192.168.0.0/22 CIDR block.The company manages the AWS accounts with AWS Organizations.Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer.The microservices communicate with each other across the public internet.The company’s security team has issued a new guideline that all communication between microservices must use HTTPS over private network connections and cannot traverse the public internet.A DevOps engineer must implement a solution that fulfills these obligations and minimizes the number of changes for each service team.Which solution will meet these requirements?Read More →

A company uses an organization in AWS Organizations to manage its AWS accounts.The company’s automation account contains a CI/CD pipeline that creates and configures new AWS accounts.The company has a group of internal service teams that provide services to accounts in the organization.The service teams operate out of a set of services accounts.The service teams want to receive an AWS CloudTrail event in their services accounts when the CreateAccount API call creates a new account.How should the company share this CloudTrail event with the service accounts?Read More →

A development team uses AWS CodeCommit, AWS CodePipeline, and AWS CodeBuild to develop and deploy an application.Changes to the code are submitted by pull requests.The development team reviews and merges the pull requests, and then the pipeline builds and tests the application.Over time, the number of pull requests has increased.The pipeline is frequently blocked because of failing tests.To prevent this blockage, the development team wants to run the unit and integration tests on each pull request before it is merged.Which solution will meet these requirements?Read More →

A company hosts a security auditing application in an AWS account.The auditing application uses an IAM role to access other AWS accounts.All the accounts are in the same organization in AWS Organizations.A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application’s IAM role.The company needs to prevent any modification to the auditing application’s IAM role by any entity other than a trusted administrator IAM role.Which solution will meet these requirements?Read More →

A company recently migrated its legacy application from on-premises to AWS.The application is hosted on Amazon EC2 instances behind an Application Load Balancer, which is behind Amazon API Gateway.The company wants to ensure users experience minimal disruptions during any deployment of a new version of the application.The company also wants to ensure it can quickly roll back updates if there is an issue.Which solution will meet these requirements with MINIMAL changes to the application?Read More →