DOP-C02 Free Practice Test

A company's application teams use AWS CodeCommit repositories for their applications.
The application teams have repositories in multiple AWS accounts. All accounts are in an organization in AWS Organizations.
Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configured with an external IdP to assume a developer IAM role. The developer role allows the application teams to use Git to work with the code in the repositories.
A security audit reveals that the application teams can modify the main branch in any repository. A DevOps engineer must implement a solution that
allows the application teams to modify the main branch of only the repositories that they manage.
Which combination of steps will meet these requirements? (Select THREE.)

1. A. Update the SAML assertion to pass the user's team nam
2. B. Update the IAM role's trust policy to add an access-team session tag that has the team name.
3. C. Create an approval rule template for each team in the Organizations management accoun
4. D. Associate the template with all the repositorie
5. E. Add the developer role ARN as an approver.
6. F. Create an approval rule template for each accoun
7. G. Associate the template with all repositorie
8. H. Add the "aws:ResourceTag/access-team":"$ ;{aws:PrincipaITag/access- team}" condition to the approval rule template.
9. I. For each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.
10. J. Attach an SCP to the account
11. K. Include the following statement:
12. L. Create an IAM permissions boundary in each accoun
13. M. Include the following statement:

Correct Answer: ADF
Short Explanation: To meet the requirements, the DevOps engineer should update the SAML assertion to pass the user’s team name, update the IAM role’s trust policy to add an access-team session tag that has the team name, create an IAM permissions boundary in each account, and for each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.
References:
✑ Updating the SAML assertion to pass the user’s team name allows the DevOps engineer to use IAM tags to identify which team a user belongs to. This can help enforce fine-grained access control based on the user’s team membership1.
✑ Updating the IAM role’s trust policy to add an access-team session tag that has the team name allows the DevOps engineer to use IAM condition keys to restrict access based on the session tag value2. For example, the DevOps engineer can use the aws:PrincipalTag condition key to match the access-team tag of the user with the access-team tag of the repository3.
✑ Creating an IAM permissions boundary in each account allows the DevOps engineer to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries4. For example, the DevOps engineer can use a permissions boundary policy to limit the actions that a user can perform on CodeCommit repositories based on their access-team tag5.
✑ For each CodeCommit repository, adding an access-team tag that has the value set to the name of the associated team allows the DevOps engineer to use resource tags to identify which team manages a repository. This can help enforce fine-grained access control based on the resource tag value6.
✑ The other options are incorrect because:

A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda function uses. When the Lambda function is invoked, the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key.
A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function's execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Update the default KMS key for Secrets Manager to allow only the Lambda function's execution role to decrypt.
2. B. Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decryp
3. C. Update Secrets Manager to use the new customer managed key.
4. D. Create a KMS customer managed key that trusts Secrets Manager and allows the account's :root principal to decryp
5. E. Update Secrets Manager to use the new customer managed key.
6. F. Ensure that the Lambda function's execution role has the KMS permissions scoped on the resource leve
7. G. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret.
8. H. Remove all KMS permissions from the Lambda function's execution role.

Correct Answer: BD
The requirement is to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege, which means granting the minimum permissions necessary to perform a task.
To do this, the DevOps engineer needs to use the following steps:
✑ Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function’s execution role to decrypt. A customer managed key is a symmetric encryption key that is fully managed by the customer. The customer can define the key policy, which specifies who can use and manage the key. By creating a customer managed key, the DevOps engineer can restrict the decryption permission to only the Lambda function’s execution role, and prevent other principals from accessing the secret values. The customer managed key also needs to trust Secrets Manager, which means allowing Secrets Manager to use the key to encrypt and decrypt secrets on behalf of the customer.
✑ Update Secrets Manager to use the new customer managed key. Secrets Manager allows customers to choose which KMS key to use for encrypting each secret. By default, Secrets Manager uses the default KMS key for Secrets Manager, which is a service-managed key that is shared by all customers in the same AWS Region. By updating Secrets Manager to use the new customer managed key, the DevOps engineer can ensure that only the Lambda function’s execution role can decrypt the secret values using that key.
✑ Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. The Lambda function’s execution role is an IAM role that grants permissions to the Lambda function to access AWS services and resources. The role needs to have KMS permissions to use the customer managed key for decryption. However, to apply the principle of least privilege, the role should have the permissions scoped on the resource level, which means specifying the ARN of the customer managed key as a condition in the IAM policy statement. This way, the role can only use that specific key and not any other KMS keys in the account.

An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)

1. A. Create IAM policies that include the required permission
2. B. Include the aws:PrincipalTag condition key.
3. C. Create permission set
4. D. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
5. E. Create a group in the Id
6. F. Place users in the grou
7. G. Assign the group to accounts and the permission sets in IAM Identity Center.
8. H. Create a group in the Id
9. I. Place users in the grou
10. J. Assign the group to OUs and IAM policies.
11. K. Enable attributes for access control in IAM Identity Cente
12. L. Apply tags to user
13. M. Map the tags as key-value pairs.
14. N. Enable attributes for access control in IAM Identity Cente
15. O. Map attributes from the IdP as key-value pairs.

Correct Answer: BCF
Using the principalTag in the Permission Set inline policy a logged in user belonging to a specific AD group in the IDP can be permitted access to perform operations on certain resources if their group matches the group used in the PrincipleTag. Basically you are narrowing the scope of privileges assigned via Permission policies conditionally based on whether the logged in user belongs to a specific AD Group in IDP. The mapping of the AD group to the request attributes can be done using SSO attributes where we can pass other attributes like the SAML token as well. https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html

A company uses AWS and has a VPC that contains critical compute infrastructure with predictable traffic patterns. The company has configured VPC flow logs that are published to a log group in Amazon CloudWatch Logs.
The company's DevOps team needs to configure a monitoring solution for the VPC flow logs to identify anomalies in network traffic to the VPC over time. If the monitoring solution detects an anomaly, the company needs the ability to initiate a response to the anomaly.
How should the DevOps team configure the monitoring solution to meet these requirements?

1. A. Create an Amazon Kinesis data strea
2. B. Subscribe the log group to the data strea
3. C. Configure Amazon Kinesis Data Analytics to detect log anomalies in the data strea
4. D. Create anAWS Lambda function to use as the output of the data strea
5. E. Configure the Lambda function to write to the default Amazon EventBridge event bus in the event of an anomaly finding.
6. F. Create an Amazon Kinesis Data Firehose delivery stream that delivers events to an Amazon S3 bucke
7. G. Subscribe the log group to the delivery strea
8. H. Configure Amazon Lookout for Metrics to monitor the data in the S3 bucket for anomalie
9. I. Create an AWS Lambda function to run in response to Lookout for Metrics anomaly finding
10. J. Configure the Lambda function to publish to the default Amazon EventBridge event bus.
11. K. Create an AWS Lambda function to detect anomalie
12. L. Configure the Lambda function to publish an event to the default Amazon EventBridge event bus if the Lambda function detects an anomal
13. M. Subscribe the Lambda function to the log group.
14. N. Create an Amazon Kinesis data strea
15. O. Subscribe the log group to the data strea
16. P. Create an AWS Lambda function to detect log anomalie
17. Q. Configure the Lambda function to write to the default Amazon EventBridge event bus if the Lambda function detects an anomal
18. R. Set the Lambda function as the processor for the data stream.

Correct Answer: D
To meet the requirements, the DevOps team needs to configure a monitoring solution for the VPC flow logs that can detect anomalies in network traffic over time and initiate a response to the anomaly. The DevOps team can use Amazon Kinesis Data Streams to ingest and process streaming data from CloudWatch Logs. The DevOps team can subscribe the log group to a Kinesis data stream, which will deliver log events from CloudWatch Logs to Kinesis Data Streams in near real-time. The DevOps team can then create an AWS Lambda function to detect log anomalies using machine learning or statistical methods. The Lambda function can be set as a processor for the data stream, which means that it will process each record from the stream before sending it to downstream applications or destinations. The Lambda function can also write to the default Amazon EventBridge event bus if it detects an anomaly, which will allow other AWS services or custom applications to respond to the anomaly event.

A development team wants to use AWS CloudFormation stacks to deploy an application. However, the developer IAM role does not have the required permissions to provision the resources that are specified in the AWS CloudFormation template. A DevOps engineer needs to implement a solution that allows the developers to deploy the stacks. The solution must follow the principle of least privilege.
Which solution will meet these requirements?

1. A. Create an IAM policy that allows the developers to provision the required resource
2. B. Attach the policy to the developer IAM role.
3. C. Create an IAM policy that allows full access to AWS CloudFormatio
4. D. Attach the policy to the developer IAM role.
5. E. Create an AWS CloudFormation service role that has the required permission
6. F. Grant the developer IAM role a cloudformation:* actio
7. G. Use the new service role during stack deployments.
8. H. Create an AWS CloudFormation service role that has the required permission
9. I. Grant the developer IAM role the iam:PassRole permissio
10. J. Use the new service role during stack deployments.

Correct Answer: D
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html