Amazon DOP-C02 Exam Dumps

Question 6 of 277

A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account.

The company has created an AWS Key Management Service (AWS KMS) key in the source account.

Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)

A.

In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.

B.

In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the default Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action.

C.

In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.

D.

In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role.

E.

In the source account, share the unencrypted AMI with the target account.

F.

In the source account, share the encrypted AMI with the target account.

Correct Answer: A, D, F

To meet the requirements, the DevOps engineer should perform three additional steps. First, in the source account, they should copy the unencrypted AMI to an encrypted AMI, specifying the KMS key in the copy action. This ensures that the AMI is encrypted using the company's KMS key. Second, they need to modify the key policy in the source account to give the target account permissions to create a grant, and then in the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role. This allows the target account to use the KMS key to decrypt the AMI when launching instances. Finally, the encrypted AMI should be shared with the target account to enable access. These steps ensure that the AMI is encrypted and properly shared across accounts with the necessary permissions in place.

Question 7 of 277

A company uses AWS CodePipeline pipelines to automate releases of its application A typical pipeline consists of three stages build, test, and deployment. The company has been using a separate AWS CodeBuild project to run scripts for each stage. However, the company now wants to use AWS CodeDeploy to handle the deployment stage of the pipelines.

The company has packaged the application as an RPM package and must deploy the application to a fleet of Amazon EC2 instances. The EC2 instances are in an EC2 Auto Scaling group and are launched from a common AMI.

Which combination of steps should a DevOps engineer perform to meet these requirements? (Choose two.)

A.

Create a new version of the common AMI with the CodeDeploy agent installed. Update the IAM role of the EC2 instances to allow access to CodeDeploy.

B.

Create a new version of the common AMI with the CodeDeploy agent installed. Create an AppSpec file that contains application deployment scripts and grants access to CodeDeploy.

C.

Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Add a step to the CodePipeline pipeline to use EC2 Image Builder to create a new AMI. Configure CodeDeploy to deploy the newly created AMI.

D.

Create an application in CodeDeploy. Configure an in-place deployment type. Specify the Auto Scaling group as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.

E.

Create an application in CodeDeploy. Configure an in-place deployment type. Specify the EC2 instances that are launched from the common AMI as the deployment target. Update the CodePipeline pipeline to use the CodeDeploy action to deploy the application.

Correct Answer: A, D

To use AWS CodeDeploy for the deployment stage of the pipeline and deploy the application to a fleet of EC2 instances in an Auto Scaling group, the DevOps engineer should create a new version of the common AMI with the CodeDeploy agent installed and update the IAM role of the EC2 instances to allow access to CodeDeploy. Additionally, an application should be created in CodeDeploy with an in-place deployment type, specifying the Auto Scaling group as the deployment target. Then, update the CodePipeline pipeline to use the CodeDeploy action to deploy the application. The combination of these steps ensures that the EC2 instances can interact with CodeDeploy and that deployments are managed efficiently using CodeDeploy and CodePipeline.

Question 8 of 277

A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has configured AWS Config for the organization. During an audit, the company finds some externally facing ALBs that are not associated with AWS WAF web ACLs.

Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.)

A.

Delegate AWS Firewall Manager to a security account.

B.

Delegate Amazon GuardDuty to a security account.

C.

Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

D.

Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

E.

Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

Correct Answer: A, C

To prevent future violations of associating external Application Load Balancers (ALBs) and Amazon API Gateway APIs with AWS WAF web ACLs, the first step is to delegate AWS Firewall Manager to a security account. This enables centralized management and enforcement of security policies across all AWS accounts in the organization. The second step is to create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs. AWS Firewall Manager is specifically designed to help manage and apply AWS WAF rules across multiple accounts within an organization, ensuring consistent security policies and compliance.

Question 9 of 277

A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days.

Which solution will accomplish this?

A.

Configure AWS KMS to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.

B.

Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon Simple Notification Service (Amazon SNS) topic.

C.

Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.

D.

Configure AWS Security Hub to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.

Correct Answer: C

To meet the requirement of notifying the security team when AWS KMS keys have not been rotated after 90 days, developing a custom AWS Config rule is the appropriate solution. AWS Config allows for a thorough evaluation of the configuration of AWS resources. With a custom rule, you can define specific conditions, such as the age of KMS keys, and have it trigger notifications to an Amazon SNS topic when keys exceed the 90-day rotation requirement. This capability is not provided by AWS KMS, Security Hub, or Trusted Advisor directly.

Question 10 of 277

A security review has identified that an AWS CodeBuild project is downloading a database population script from an Amazon S3 bucket using an unauthenticated request. The security team does not allow unauthenticated requests to S3 buckets for this project.

How can this issue be corrected in the MOST secure manner?

A.

Add the bucket name to the AllowedBuckets section of the CodeBuild project settings. Update the build spec to use the AWS CLI to download the database population script.

B.

Modify the S3 bucket settings to enable HTTPS basic authentication and specify a token. Update the build spec to use cURL to pass the token and download the database population script.

C.

Remove unauthenticated access from the S3 bucket with a bucket policy. Modify the service role for the CodeBuild project to include Amazon S3 access. Use the AWS CLI to download the database population script.

D.

Remove unauthenticated access from the S3 bucket with a bucket policy. Use the AWS CLI to download the database population script using an IAM access key and a secret access key.

Correct Answer: C

The most secure approach is to remove unauthenticated access from the S3 bucket by updating the bucket policy, ensuring that only authenticated requests are allowed. Then, modify the service role for the CodeBuild project to include the necessary permissions to access the S3 bucket. This ensures that the access is controlled and only authorized entities can download the database population script, adhering to security best practices.