Free AWS Certified DevOps Engineer - Professional (DOP-C02) Practice Questions

Sample DOP-C02 Practice Questions

Browse all 20 free AWS Certified DevOps Engineer - Professional practice questions below.

1. A company is implementing a CI/CD pipeline for a containerized application deployed on Amazon ECS. The application requires zero-downtime deployments with the ability to gradually shift traffic to the new version while monitoring for errors. If issues are detected, traffic should automatically roll back to the previous version. Which deployment configuration best meets these requirements?

   • Configure AWS CodeDeploy with CodeDeployDefault.ECSCanary10Percent5Minutes deployment configuration, enable automatic rollback, and configure CloudWatch alarms for error rate monitoring.
   • Configure AWS CodeDeploy with CodeDeployDefault.ECSLinear10PercentEvery1Minutes and manually monitor the deployment through the console.
   • Configure AWS CodeDeploy with CodeDeployDefault.ECSAllAtOnce deployment configuration and enable automatic rollback on deployment failure.
   • Configure rolling updates in the ECS service definition with minimum healthy percent of 50% and maximum percent of 200%.

2. A DevOps engineer needs to implement a multi-stage CI/CD pipeline using AWS CodePipeline for a microservices application. The pipeline must include source, build, test, and deploy stages. The build stage should compile code for multiple services in parallel to reduce build time. How should the engineer configure the build stage?

   • Create separate build stages in CodePipeline for each microservice to ensure isolation.
   • Create a single CodeBuild project with compute type set to BUILD_GENERAL1_2XLARGE to speed up compilation.
   • Create a single CodeBuild project with a buildspec.yml that uses batch build mode to compile all services sequentially.
   • Create separate CodeBuild projects for each microservice and add them as parallel actions within the same build stage in CodePipeline.

3. A company uses AWS CloudFormation to manage infrastructure across multiple AWS accounts and regions. The security team requires that all CloudFormation stacks be monitored for configuration drift and that any drift be automatically remediated within 1 hour. Which solution meets these requirements with the LEAST operational overhead?

   • Use CloudFormation StackSets with drift detection enabled and configure manual approval workflow for drift remediation.
   • Enable AWS Config rule cloudformation-stack-drift-detection-check across all accounts using AWS Organizations, create an EventBridge rule to trigger a Lambda function when drift is detected, and have the function execute a stack update to remediate drift.
   • Create a scheduled Lambda function that runs every hour in each account to check drift status using the DetectStackDrift API and sends notifications to the operations team.
   • Deploy CloudWatch alarms in each account that trigger when CloudFormation stacks report drift status and configure SNS notifications to the development team.

4. A company is migrating from a monolithic application to microservices on Amazon EKS. The DevOps team needs to implement a deployment strategy that allows testing new versions with a small percentage of production traffic before full rollout. The solution must work with their existing Kubernetes deployments and not require changes to application code. Which approach should the team use?

   • Configure Application Load Balancer with weighted target groups pointing to different EKS service endpoints.
   • Implement AWS App Mesh with virtual services and virtual routers to configure weighted routing between deployment versions.
   • Use Kubernetes Horizontal Pod Autoscaler to gradually increase replicas of the new version while decreasing old version replicas.
   • Use Kubernetes native rolling updates with maxSurge and maxUnavailable parameters configured for gradual rollout.

5. A DevOps team manages sensitive database credentials and API keys for applications running on Amazon EC2 instances and AWS Lambda functions. The team needs to implement a centralized secrets management solution that supports automatic rotation of credentials, audit logging of access, and integration with IAM for access control. Which solution BEST meets these requirements?

   • Store secrets in AWS Systems Manager Parameter Store SecureString parameters with KMS encryption and create Lambda functions to rotate credentials on a schedule.
   • Store secrets in AWS Secrets Manager with automatic rotation enabled, use resource-based policies for cross-account access, and enable CloudTrail logging for Secrets Manager API calls.
   • Use HashiCorp Vault deployed on EC2 instances with integration to AWS IAM for authentication and custom rotation scripts.
   • Store secrets in Amazon S3 with server-side encryption using KMS, configure S3 bucket policies for access control, and enable S3 access logging.

6. A company is migrating their CI/CD pipeline from Jenkins to AWS native services. Their current pipeline includes stages for code checkout, static code analysis, unit tests, integration tests, security scanning, and deployment. The team wants to maintain the same workflow while leveraging managed services. Which AWS services should be used for each stage?

   • GitHub Actions for the entire pipeline with AWS credentials stored in GitHub Secrets for deployment.
   • CodeCommit or CodeStar Connections for source, CodeBuild for all build and test stages including static analysis, CodeDeploy for deployment, orchestrated by CodePipeline.
   • CodeCommit for source, separate EC2 instances for each build and test stage, CloudFormation for deployment.
   • S3 for source artifacts, Lambda functions for each test stage, Step Functions for deployment orchestration.

7. A DevOps team needs to implement a solution where developers can deploy feature branches to isolated environments for testing. Each feature branch should get its own set of resources including API Gateway, Lambda functions, and DynamoDB tables. The resources should be automatically cleaned up when the branch is deleted. Which approach implements this efficiently?

   • Create feature flag toggles in a central configuration store and deploy all feature code to the production environment behind flags.
   • Use a single shared environment with resource naming conventions that include the branch name, and manually delete resources when branches are merged.
   • Create a CodePipeline for each feature branch that deploys a CloudFormation stack with resources named using the branch name. Use EventBridge with GitHub/CodeCommit branch deletion events to trigger a Lambda that deletes the stack.
   • Provision a fixed pool of test environments and assign branches to available environments using a scheduling system.

8. A company uses AWS CDK for infrastructure deployment. They want to ensure all CDK stacks pass security checks before deployment. The checks should verify that S3 buckets have encryption enabled, Lambda functions have appropriate timeouts, and IAM policies follow least privilege. Which approach implements this validation in the CI/CD pipeline?

   • Use TypeScript/Python type checking in CDK code to enforce security properties at compile time.
   • Configure AWS Config rules that detect non-compliant resources and automatically remediate them after deployment.
   • Deploy CDK stacks to a sandbox account first, run security scans on the created resources, then promote to production if scans pass.
   • Run cdk synth to generate CloudFormation templates, then use cfn-nag or cfn-guard to validate the templates against security rules before deployment.

9. A company runs a microservices architecture on Amazon EKS. They need to implement a deployment strategy where new versions are gradually rolled out, and if error rates increase beyond a threshold, the deployment automatically stops and rolls back. The solution should work without external tools. Which Kubernetes-native feature combined with AWS services provides this capability?

   • Configure Kubernetes HorizontalPodAutoscaler to scale down new version pods when metrics exceed thresholds.
   • Configure Kubernetes Deployment with maxSurge and maxUnavailable for rolling updates, combined with readinessProbes. Monitor pods using CloudWatch Container Insights and trigger rollback with kubectl rollout undo when alarms fire.
   • Use AWS App Mesh with canary virtual nodes that split traffic between versions, with CloudWatch alarms triggering automated rollback through App Mesh routing changes.
   • Use Kubernetes native canary deployments by deploying both versions simultaneously with label-based service selectors.

10. A DevOps engineer is troubleshooting a Lambda function that occasionally times out. The function processes messages from SQS and calls an external API. The engineer needs to identify whether the timeout is caused by the external API, database queries, or internal processing. Which observability approach provides the most detailed insight?

    • Enable Lambda function enhanced monitoring to view CPU and memory utilization during execution.
    • Enable CloudWatch Logs and search for timeout error messages in the log output.
    • Create CloudWatch custom metrics that record execution time and analyze the average duration over time.
    • Enable AWS X-Ray tracing for the Lambda function, instrument the code with X-Ray SDK to create subsegments for API calls and database operations, and analyze the trace timeline.

11. A company runs a multi-tier application with web servers in public subnets and application servers in private subnets. The DevOps team needs to implement a solution that allows administrators to securely access private EC2 instances for troubleshooting without exposing them to the internet or deploying bastion hosts. Which solution meets this requirement?

    • Configure AWS Systems Manager Session Manager on the private instances, ensure SSM Agent is running, and grant IAM permissions for ssm:StartSession to administrators.
    • Create a VPN connection between the corporate network and the VPC to access private instances directly.
    • Deploy a Lambda function that establishes reverse SSH tunnels to private instances on demand.
    • Enable EC2 Instance Connect and open port 22 in security groups for temporary access.

12. A DevOps engineer needs to implement a deployment pipeline that builds Docker images, scans them for vulnerabilities, and deploys to Amazon EKS. If any HIGH or CRITICAL vulnerabilities are found, the deployment should be blocked. Which service combination implements this security gate?

    • AWS Security Hub to aggregate and block on vulnerability findings
    • Amazon GuardDuty for real-time container vulnerability detection
    • AWS CodePipeline to orchestrate build, scan check, and deployment stages
    • Amazon ECR with enhanced scanning powered by Amazon Inspector
    • AWS CodeBuild to build and push images, then check scan findings before deployment

13. A company uses AWS Organizations with multiple accounts. They need to ensure that CloudFormation stacks in member accounts can only be deployed using approved templates stored in a central S3 bucket in the management account. How should this be implemented?

    • Enable CloudFormation drift detection to identify stacks deployed with unapproved templates.
    • Share the S3 bucket using AWS Resource Access Manager and grant read access to member accounts.
    • Create an SCP that denies cloudformation:CreateStack unless the template URL matches the approved S3 bucket pattern using StringLike condition.
    • Configure AWS Service Catalog with approved products and restrict direct CloudFormation access.

14. A DevOps team needs to implement blue/green deployments for an application running on AWS Elastic Beanstalk. They want to validate the new environment before switching traffic and maintain the ability to quickly roll back. Which Elastic Beanstalk feature supports this deployment strategy?

    • Use Elastic Beanstalk rolling with additional batch deployment to maintain two versions simultaneously.
    • Configure Route 53 weighted routing between two Elastic Beanstalk environments.
    • Configure the Elastic Beanstalk deployment policy to 'Immutable' for blue/green deployments.
    • Use Elastic Beanstalk environment cloning to create a new environment, deploy the update to the clone, validate, then swap environment URLs.

15. A company needs to implement a solution that automatically triggers an incident response workflow when AWS GuardDuty detects a HIGH severity finding. The workflow should isolate the affected EC2 instance, capture forensic data, and notify the security team. Which architecture implements this automated response?

    • Configure EventBridge rule to match HIGH severity GuardDuty findings, trigger Step Functions workflow that uses Lambda to modify security groups, create EBS snapshots, and send SNS notifications.
    • Configure GuardDuty to directly invoke Lambda functions for automated remediation.
    • Use AWS Security Hub automation rules to automatically remediate GuardDuty findings.
    • Configure CloudWatch alarms on GuardDuty metrics to trigger Auto Scaling actions that terminate compromised instances.

16. A company runs microservices on Amazon ECS Fargate. They need to implement a solution that automatically restarts containers when health checks fail, but also limits the number of restart attempts to prevent infinite restart loops for fundamentally broken deployments. Which ECS feature provides this controlled restart behavior?

    • Set the service minimum healthy percent to 100% to prevent unhealthy containers from starting.
    • Configure CloudWatch alarms to monitor task failures and stop the ECS service when thresholds are exceeded.
    • Configure container-level restart policies in the task definition with maximum restart limits.
    • Configure the ECS service deployment circuit breaker, which automatically detects deployment failures and optionally rolls back to the previous working deployment after threshold failures.

17. A DevOps team needs to implement a solution where AWS WAF rules are deployed consistently across multiple AWS accounts that host web applications behind CloudFront. The rules should be managed centrally and automatically deployed to new accounts. Which approach enables this centralized WAF management?

    • Create WAF web ACLs in each account using CloudFormation StackSets with service-managed permissions.
    • Create a centralized WAF web ACL in the security account and configure all CloudFront distributions to use it.
    • Configure cross-account sharing of WAF web ACLs using AWS Resource Access Manager.
    • Use AWS Firewall Manager with a WAF policy that automatically applies web ACL rules to CloudFront distributions across organization accounts.

18. A company uses AWS CodePipeline for deployments. They need to implement a solution where a deployment to production requires two approvals: one from a developer and one from an operations team member. Both approvals must be from different people. How should this dual approval be configured?

    • Create two sequential Manual Approval stages in CodePipeline, each configured with different SNS topics for the developer and operations teams. Implement a Lambda function that tracks approvers and rejects if the same person approves both.
    • Configure a single Manual Approval action requiring 2 approvals from a combined team.
    • Use AWS Organizations SCPs to require dual approval for production deployments.
    • Create IAM policies that enforce separation of duties for pipeline approvals.

19. A DevOps engineer needs to implement a solution that enforces a minimum TLS version of 1.2 for all Application Load Balancers in an AWS account. Non-compliant ALBs should be detected and reported. Which approach provides this compliance monitoring?

    • Configure VPC flow logs to analyze TLS versions used in connections to ALBs.
    • Use AWS Certificate Manager to enforce minimum TLS versions on all certificates.
    • Enable AWS Security Hub and use the AWS Foundational Security Best Practices standard to detect weak TLS configurations.
    • Create a custom AWS Config rule that evaluates ALB listener configurations and checks if the SSL policy enforces TLS 1.2 or higher.

20. A company runs a critical batch processing job on AWS Batch that must complete within a 4-hour SLA. The job processes large datasets and occasionally fails due to spot instance interruptions. How should the job be configured for reliability while optimizing costs?

    • Configure the AWS Batch compute environment with a mix of spot and on-demand instances. Enable job retry with checkpointing so interrupted jobs resume from checkpoints rather than restarting completely.
    • Configure the Batch job timeout to 4 hours to ensure jobs complete within SLA.
    • Use spot instances with a very high max price to prevent interruptions.
    • Use only on-demand instances to avoid any interruption risk.