DOP-C02 (Page 25)

A company’s developers use Amazon EC2 instances as remote workstations.The company is concerned that users can create or modify EC2 security groups to allow unrestricted inbound access.A DevOps engineer needs to develop a solution to detect when users create unrestricted security group rules.The solution must detect changes to security group rules in near real time, remove unrestricted rules, and send email notifications to the security team.The DevOps engineer has created an AWS Lambda function that checks for security group ID from input, removes rules that grant unrestricted access, and sends notifications through Amazon Simple Notification Service (Amazon SNS).What should the DevOps engineer do next to meet the requirements?Read More →

A company uses an Amazon API Gateway regional REST API to host its application API.The REST API has a custom domain.The REST API’s default endpoint is deactivated.The company’s internal teams consume the API.The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication.Which combination of steps will meet these requirements? (Choose two.)Read More →

A company has an AWS Control Tower landing zone.The company’s DevOps team creates a workload OU.A development OU and a production OU are nested under the workload OU.The company grants users full access to the company’s AWS accounts to deploy applications.The DevOps team needs to allow only a specific management IAM role to manage the IAM roles and policies of any AWS accounts in only the production OU.Which combination of steps will meet these requirements? (Choose two.)Read More →

A company is using AWS Organizations to centrally manage its AWS accounts.The company has turned on AWS Config in each member account by using AWS CloudFormation StackSets.The company has configured trusted access in Organizations for AWS Config and has configured a member account as a delegated administrator account for AWS Config.A DevOps engineer needs to implement a new security policy.The policy must require all current and future AWS member accounts to use a common baseline of AWS Config rules that contain remediation actions that are managed from a central account.Non-administrator users who can access member accounts must not be able to modify this common baseline of AWS Config rules that are deployed into each member account.Which solution will meet these requirements?Read More →

A DevOps engineer notices that all Amazon EC2 instances running behind an Application Load Balancer in an Auto Scaling group are failing to respond to user requests.The EC2 instances are also failing target group HTTP health checks.Upon inspection, the engineer notices the application process was not running in any EC2 instances.There are a significant number of out of memory messages in the system logs.The engineer needs to improve the resilience of the application to cope with a potential application memory leak.Monitoring and notifications should be enabled to alert when there is an issue.Which combination of actions will meet these requirements? (Choose two.)Read More →

A company manages multiple AWS accounts by using AWS Organizations with OUs for the different business divisions.The company is updating their corporate network to use new IP address ranges.The company has 10 Amazon S3 buckets in different AWS accounts.The S3 buckets store reports for the different divisions.The S3 bucket configurations allow only private corporate network IP addresses to access the S3 buckets.A DevOps engineer needs to change the range of IP addresses that have permission to access the contents of the S3 buckets.The DevOps engineer also needs to revoke the permissions of two OUs in the company.Which solution will meet these requirements?Read More →

A company operates sensitive workloads across the AWS accounts that are in the company’s organization in AWS Organizations.The company uses an IP address range to delegate IP addresses for Amazon VPC CIDR blocks and all non-cloud hardware.The company needs a solution that prevents principals that are outside the company’s IP address range from performing AWS actions in the organization’s accounts.Which solution will meet these requirements?Read More →

A company releases a new application in a new AWS account.The application includes an AWS Lambda function that processes messages from an Amazon Simple Queue Service (Amazon SQS) standard queue.The Lambda function stores the results in an Amazon S3 bucket for further downstream processing.The Lambda function needs to process the messages within a specific period of time after the messages are published.The Lambda function has a batch size of 10 messages and takes a few seconds to process a batch of messages.As load increases on the application’s first day of service, messages in the queue accumulate at a greater rate than the Lambda function can process the messages.Some messages miss the required processing timelines.The logs show that many messages in the queue have data that is not valid.The company needs to meet the timeline requirements for messages that have valid data.Which solution will meet these requirements?Read More →

A healthcare services company is concerned about the growing costs of software licensing for an application for monitoring patient wellness.The company wants to create an audit process to ensure that the application is running exclusively on Amazon EC2 Dedicated Hosts.A DevOps engineer must create a workflow to audit the application to ensure compliance.What steps should the engineer take to meet this requirement with the LEAST administrative overhead?Read More →

A company’s DevOps engineer is working in a multi-account environment.The company uses AWS Transit Gateway to route all outbound traffic through a network operations account.In the network operations account, all account traffic passes through a firewall appliance for inspection before the traffic goes to an internet gateway.The firewall appliance sends logs to Amazon CloudWatch Logs and includes event severities of CRITICAL, HIGH, MEDIUM, LOW, and INFO.The security team wants to receive an alert if any CRITICAL events occur.What should the DevOps engineer do to meet these requirements?Read More →