DOP-C02 Free Practice Test

A company is performing vulnerability scanning for all Amazon EC2 instances across many accounts. The accounts are in an organization in AWS Organizations. Each account's VPCs are attached to a shared transit gateway. The VPCs send traffic to the internet through a central egress VPC. The company has enabled Amazon Inspector in a delegated administrator account and has enabled scanning for all member accounts.
A DevOps engineer discovers that some EC2 instances are listed in the "not scanning" tab in Amazon
Inspector.
Which combination of actions should the DevOps engineer take to resolve this issue? (Choose three.)

1. A. Verify that AWS Systems Manager Agent is installed and is running on the EC2 instances that Amazon Inspector is not scanning.
2. B. Associate the target EC2 instances with security groups that allow outbound communication on port 443 to the AWS Systems Manager service endpoint.
3. C. Grant inspector:StartAssessmentRun permissions to the IAM role that the DevOps engineer is using.
4. D. Configure EC2 Instance Connect for the EC2 instances that Amazon Inspector is not scanning.
5. E. Associate the target EC2 instances with instance profiles that grant permissions to communicate with AWS Systems Manager.
6. F. Create a managed-instance activatio
7. G. Use the Activation Code and the Activation ID to register the EC2 instances.

Correct Answer: ABE
https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html

To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?

1. A. Launch the instances in a public subnet with Elastic IP addresses attache
2. B. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
3. C. Set up a NAT gatewa
4. D. Deploy the EC2 instances to a private subne
5. E. Update the private subnet's routetable to use the NAT gateway as the default route.
6. F. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
7. G. Create a security group for the application instances and allow only outbound traffic to the artifact repositor
8. H. Remove the security group rule once the install is complete.

Correct Answer: C
EC2 instances running in private subnets of a VPC can now have controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. You can use an S3 bucket policy to indicate which VPCs and which VPC Endpoints have access to your S3 buckets 1- https://aws.amazon.com/pt/blogs/aws/new-vpc-endpoint-for-amazon-s3/

A company has an application that runs on a fleet of Amazon EC2 instances. The application requires frequent restarts. The application logs contain error messages when a restart is required. The application logs are published to a log group in Amazon CloudWatch Logs.
An Amazon CloudWatch alarm notifies an application engineer through an Amazon Simple Notification Service (Amazon SNS) topic when the logs contain a large number of restart-related error messages. The application engineer manually restarts the application on the instances after the application engineer receives a notification from the SNS topic.
A DevOps engineer needs to implement a solution to automate the application restart on the instances without restarting the instances.
Which solution will meet these requirements in the MOST operationally efficient manner?

1. A. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
2. B. Configure the SNS topic to invoke the runbook.
3. C. Create an AWS Lambda function that restarts the application on the instance
4. D. Configure the Lambda function as an event destination of the SNS topic.
5. E. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
6. F. Create an AWS Lambda function to invoke the runboo
7. G. Configure the Lambda function as an event destination of the SNS topic.
8. H. Configure an AWS Systems Manager Automation runbook that runs a script to restart the application on the instance
9. I. Configure an Amazon EventBridge rule that reacts when the CloudWatch alarm enters ALARM stat
10. J. Specify the runbook as a target of the rule.

Correct Answer: D
This solution meets the requirements in the most operationally efficient manner by automating the application restart process on the instances without restarting them. When the CloudWatch alarm enters the ALARM state, the EventBridge rule is triggered, which in turn invokes the Systems Manager Automation runbook that contains the script to restart the application on the instances.

A company has containerized all of its in-house quality control applications. The company is running Jenkins on Amazon EC2 instances, which require patching and upgrading. The compliance officer has requested a DevOps engineer begin encrypting build artifacts since they contain company intellectual property. What should the DevOps engineer do to accomplish this in the MOST maintainable manner?

1. A. Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt Amazon EBS volumes by default.
2. B. Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with default encryption enabled.
3. C. Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets Manager.
4. D. Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2 instances.

Correct Answer: D
The following are the steps involved in accomplishing this in the most maintainable manner:
Configure CodeBuild to encrypt the build artifacts using AWS Secrets Manager.
Deploy the containerized quality control applications to CodeBuild.
This approach is the most maintainable because it eliminates the need to manage Jenkins on EC2 instances. CodeBuild is a managed service, so the DevOps engineer does not need to worry about patching or upgrading the service.
https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html Build artifact encryption - CodeBuild requires access to an AWS KMS CMK in order to encrypt its build output artifacts. By default, CodeBuild uses an AWS Key Management Service CMK for Amazon S3 in your AWS account. If you do not want to use this CMK, you must create and configure a customer-managed CMK. For more information Creating keys.

A company runs an application with an Amazon EC2 and on-premises configuration. A DevOps engineer needs to standardize patching across both environments. Company policy dictates that patching only happens during non-business hours.
Which combination of actions will meet these requirements? (Choose three.)

1. A. Add the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations.
2. B. Attach an IAM role to the EC2 instances, allowing them to be managed by AWS Systems Manager.
3. C. Create IAM access keys for the on-premises machines to interact with AWS Systems Manager.
4. D. Run an AWS Systems Manager Automation document to patch the systems every hour.
5. E. Use Amazon EventBridge scheduled events to schedule a patch window.
6. F. Use AWS Systems Manager Maintenance Windows to schedule a patch window.

Correct Answer: ABF
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-managed-instance-activation.html