amazon AWS DevOps Engineer Professional (DOP-C01) practice test

Question 1

A DevOps Engineer is designing a deployment strategy for a web application. The application will use an Auto Scaling group
to launch Amazon EC2 instances using an AMI. The same infrastructure will be deployed in multiple environments
(development, test, and quality assurance). The deployment strategy should meet the following requirements:
Minimize the startup time for the instance
Allow the same AMI to work in multiple environments
Store secrets for multiple environments securelyHow should this be accomplished?

  • A. Preconfigure the AMI using an AWS Lambda function that launches an Amazon EC2 instance, and then runs a script to install the software and create the AMI. Configure an Auto Scaling lifecycle hook to determine which environment the instance is launched in, and, based on that finding, run a configuration script. Save the secrets on an .ini file and store them in Amazon S3. Retrieve the secrets using a configuration script in EC2 user data.
  • B. Preconfigure the AMI by installing all the software using AWS Systems Manager automation and configure Auto Scaling to tag the instances at launch with their specific environment. Then use a bootstrap script in user data to read the tags and configure settings for the environment. Use the AWS Systems Manager Parameter Store to store the secrets using AWS KMS.
  • C. Use a standard AMI from the AWS Marketplace. Configure Auto Scaling to detect the current environment. Install the software using a script in Amazon EC2 user data. Use AWS Secrets Manager to store the credentials for all environments.
  • D. Preconfigure the AMI by installing all the software and configuration for all environments. Configure Auto Scaling to tag the instances at launch with their environment. Use the Amazon EC2 user data to trigger an AWS Lambda function that reads the instance ID and then reconfigures the setting for the proper environment. Use the AWS Systems Manager Parameter Store to store the secrets using AWS KMS.



Question 2

You are getting a lot of empty receive requests when using Amazon SQS. This is making a lot of unnecessary network load
on your instances. What can you do to reduce this load?

  • A. Subscribe your queue to an SNS topic instead.
  • B. Use as long of a poll as possible, instead of short polls.
  • C. Alter your visibility timeout to be shorter.
  • D. Use sqsd on your EC2 instances.


One benefit of long polling with Amazon SQS is the reduction of the number of empty responses, when there are no
messages available to return, in reply to a ReceiveMessage request sent to an Amazon SQS queue. Long polling allows the
Amazon SQS service to wait until a message is available in the queue before sending a response.


Question 3

A DevOps team manages an API running on-premises that serves as a backend for an Amazon API Gateway endpoint.
Customers have been complaining about high response latencies, which the development team has verified using the API
Gateway latency metrics in Amazon CloudWatch. To identify the cause, the team needs to collect relevant data without
introducing additional latency. Which actions should be taken to accomplish this? (Choose two.)

  • A. Install the CloudWatch agent server side and configure the agent to upload relevant logs to CloudWatch.
  • B. Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and upload those segments to X-Ray during each request.
  • C. Enable AWS X-Ray tracing in API Gateway, modify the application to capture request segments, and use the X-Ray daemon to upload segments to X-Ray.
  • D. Modify the on-premises application to send log information back to API Gateway with each request.
  • E. Modify the on-premises application to calculate and upload statistical data relevant to the API service requests to CloudWatch metrics.



Question 4

Which one of the following is a restriction of AWS EBS Snapshots?

  • A. Snapshot restorations are restricted to the region in which the snapshots are created.
  • B. You cannot share unencrypted snapshots.
  • C. To share a snapshot with a user in other region the snapshot has to be created in that region first.
  • D. You cannot share a snapshot containing sensitive data such as an AWS Access Key ID or AWS Secret Access Key.


Shapshots shared with other users are usable in full by the recipient, including but limited to the ability to base modified
volumes and snapshots.


Question 5

A Development team is building more than 40 applications. Each app is a three-tiered web application based on an ELB
Application Load Balancer, Amazon EC2, and Amazon RDS. Because the applications will be used internally, the Security
team wants to allow access to the 40 applications only from the corporate network and block access from external IP
addresses. The corporate network reaches the internet through proxy servers. The proxy servers have 12 proxy IP
addresses that are being changed one or two times per month. The Network Infrastructure team manages the proxy servers;
they upload the file that contains the latest proxy IP addresses into an Amazon S3 bucket. The DevOps Engineer must build
a solution to ensure that the applications are accessible from the corporate network.
Which solution achieves these requirements with MINIMAL impact to application development, MINIMAL operational effort,
and the LOWEST infrastructure cost?

  • A. Implement an AWS Lambda function to read the list of proxy IP addresses from the S3 object and to update the ELB security groups to allow HTTPS only from the given IP addresses. Configure the S3 bucket to invoke the Lambda function when the object is updated. Save the IP address list to the S3 bucket when they are changed.
  • B. Ensure that all the applications are hosted in the same Virtual Private Cloud (VPC). Otherwise, consolidate the applications into a single VPC. Establish an AWS Direct Connect connection with an active/standby configuration. Change the ELB security groups to allow only inbound HTTPS connections from the corporate network IP addresses.
  • C. Implement a Python script with the AWS SDK for Python (Boto), which downloads the S3 object that contains the proxy IP addresses, scans the ELB security groups, and updates them to allow only HTTPS inbound from the given IP addresses. Launch an EC2 instance and store the script in the instance. Use a cron job to execute the script daily.
  • D. Enable ELB security groups to allow HTTPS inbound access from the Internet. Use Amazon Cognito to integrate the company's Active Directory as the identity provider. Change the 40 applications to integrate with Amazon Cognito so that only company employees can log into the application. Save the user access logs to Amazon CloudWatch Logs to record user access activities



Question 6

A DevOps Engineer is using AWS CodeDeploy across a fleet of Amazon EC2 instances in an EC2 Auto Scaling group. The
associated CodeDeploy deployment group, which is integrated with EC2 Auto Scaling, is configured to perform in-place
deployments with CodeDeployDefault.OneAtATime. During an ongoing new deployment, the Engineer discovers that,
although the overall deployment finished successfully, two out of five instances have the previous application revision
deployed. The other three instances have the newest application revision. What is likely causing this issue?

  • A. The two affected instances failed to fetch the new deployment.
  • B. A failed AfterInstall lifecycle event hook caused the CodeDeploy agent to roll back to the previous version on the affected instances.
  • C. The CodeDeploy agent was not installed in two affected instances.
  • D. EC2 Auto Scaling launched two new instances while the new deployment had not yet finished, causing the previous version to be deployed on the affected instances.



Question 7

Which of the following is NOT an advantage of Docker's content addressable storage model?

  • A. random UUIDs improve filesystem performance
  • B. improved security
  • C. guarantees data integrity after push, pull, load, and save operations
  • D. avoids content ID collisions


Docker 1.10 introduced a new content addressable storage model. This is a completely new way to address image and layer
data on disk. Previously, image and layer data was referenced and stored using a randomly generated UUID. In the new
model this is replaced by a secure content hash. The new model improves security, provides a built-in way to avoid ID
collisions, and guarantees data integrity after pull, push, load, and save operations. It also enables better sharing of layers by
allowing many images to freely share their layers even if they did not come from the same build.


Question 8

Your company operates an application consisting of an AWS CloudFormation stack that contains a load balancer, an Auto
Scaling group of web servers, and an Amazon RDS instance. To save time and costs, you update the current test stack
when testing minor changes, and create a new stack for major changes. As part of the testing procedure of your application,
each version needs to be registered once and only once with a Configuration Management Database (CMDB).
What cost-effective solution should you choose to perform this registration?

  • A. Use Auto Scaling Leader Node functionality to notify the registration application from the UserData script of a single Instance. Use the AWS CloudFormation cfn-hup helper application to receive template updates on the leader node, which then notifies the CMDB.
  • B. Define an AWS: :CloudFormation::CustomResource in the AWS CloudFormation template, with the application version as one of its properties. Modify the CMDB to subscribe to the resource's creation and update notifications.
  • C. Define an AWS::CloudFormation::HttpRequest in the AWS CloudFormation template, and configure it to notify the CMDB on stack creation and update.
  • D. Define an AWS::EC2::Instance resource in the AWS CloudFormation template that is configured to run a UserData script to notify the CMDB and then terminate itself on completion.



Question 9

An education company has a Docker-based application running on multiple Amazon EC2 instances in an Amazon ECS
cluster. When deploying a new version of the application, the Developer, pushes a
new image to a private Docker container registry, and then stops and starts all tasks to ensure that they all have the latest
version of the application. The Developer discovers that new tasks are occasionally running with an old image. How can this
issue be prevented?

  • A. After pushing the new image, restart ECS Agent, and then start the tasks.
  • B. Use “latest” for the Docker image tag in the task definition.
  • C. Update the digest on the task definition when pushing the new image.
  • D. Use Amazon ECR for a Docker container registry.


When a new task starts, the Amazon ECS container agent pulls the latest version of the specified image and tag for the
container to use. However, subsequent updates to a repository image are not propagated to already running tasks.
Reference: ers.html


Question 10

You are running Amazon CloudTrail on an Amazon S3 bucket and look at your most recent log. You notice that the entries
include the ListThings and CreateThings actions and wonder if your devices have been hacked. Based on these entries,
what service would you be concerned may have been hacked?

  • A. Amazon Inspector
  • B. AWS IoT
  • C. AWS CodePipeline
  • D. Amazon Glacier


AWS IoT (Internet of Things) is integrated with CloudTrail to capture API calls from the AWS IoT console or from your code
to the AWS IoT APIs. AWS IoT provides secure, bi-directional communication between Internet-connected things (such as
sensors, actuators, embedded devices, or smart appliances) and the AWS cloud. Using the information collected by
CloudTrail, you can determine the request that was made to AWS IoT, the source IP address from which the request was
made, who made the request, when it was made, and so on.

To page 2