DOP-C02 Online Practice Questions

Home / Amazon / DOP-C02

Latest DOP-C02 Exam Practice Questions

The practice questions for DOP-C02 exam was last updated on 2026-04-10 .

Viewing page 1 out of 8 pages.

Viewing questions 1 out of 41 questions.

Question#1

A company is refactoring applications to use AWS. The company identifies an internal web application that needs to make Amazon S3 API calls in a specific AWS account.
The company wants to use its existing identity provider (IdP) auth.company.com for authentication. The IdP supports only OpenID Connect (OIDC). A DevOps engineer needs to secure the web application's access to the AWS account.
Which combination of steps will meet these requirements? (Select THREE.)

A. Configure AWS 1AM Identity Center. Configure an Id
B. Upload the IdP metadata from the existing Id
C. Create an 1AM IdP by using the provider URL, audience, and signature from the existing Id
D. Create an 1AM role that has a policy that allows the necessary S3 actions. Configure the role's trust policy to allow the OIDC IdP to assume the role if the sts.amazon.conraud context key is appid from idp.
E. Create an 1AM role that has a policy that allows the necessary S3 actions. Configure the role's trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp.
F. Configure the web application lo use the AssumeRoleWith Web Identity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.
G. Configure the web application to use the GetFederationToken API operation to retrieve temporary credentials Use the temporary credentials to make the S3 API calls.

Explanation:
Step 1: Creating an Identity Provider in IAM
You first need to configure AWS to trust the external identity provider (IdP), which in this case supports OpenID Connect (OIDC). The IdP will handle the authentication, and AWS will handle the authorization based on the IdP's token.
Action: Create an IAM Identity Provider (IdP) in AWS using the existing provider's URL, audience, and signature. This step is essential for establishing trust between AWS and the external IdP.
Why: This allows AWS to accept tokens from your external IdP (auth.company.com) for authentication.
Reference: AWS documentation on IAM Identity Providers.
So, this corresponds to Option B: Create an IAM IdP by using the provider URL, audience, and signature from the existing IdP.
Step 2: Creating an IAM Role with Specific Permissions
Next, you need to create an IAM role with a trust policy that allows the external IdP to assume it when certain conditions are met. Specifically, the trust policy needs to allow the role to be assumed based on the context key auth.company.com:aud (audience claim in the token).
Action: Create an IAM role that has the necessary permissions (e.g., Amazon S3 access). The role's trust policy should specify the OIDC IdP as the trusted entity and validate the audience claim (auth.company.com:aud), which comes from the token provided by the IdP.
Why: This step ensures that only the specified web application authenticated via OIDC can assume the IAM role to make API calls.
Reference: AWS documentation on OIDC and Role Assumption.
This corresponds to Option D: Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role's trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp.
Step 3: Using Temporary Credentials via AssumeRoleWithWebIdentity API
To securely make Amazon S3 API calls, the web application will need temporary credentials. The web application can use the AssumeRoleWithWebIdentity API call to assume the IAM role configured in the previous step and obtain temporary AWS credentials. These credentials can then be used to interact with Amazon S3.
Action: The web application must be configured to call the AssumeRoleWithWebIdentity API operation, passing the OIDC token from the IdP to obtain temporary credentials.
Why: This allows the web application to authenticate via the external IdP and then authorize access to AWS resources securely using short-lived credentials.
Reference: AWS documentation on AssumeRoleWithWebIdentity.
This corresponds to Option E: Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.
Summary of Selected Answers:
B: Create an IAM IdP by using the provider URL, audience, and signature from the existing IdP.
D: Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role’s trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp.
E: Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.
This setup enables the web application to use OpenID Connect (OIDC) for authentication and securely interact with Amazon S3 in a specific AWS account using short-lived credentials obtained through AWS Security Token Service (STS).

Question#2

A DevOps engineer is building the infrastructure for an application. The application needs to run on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that includes Amazon EC2 instances. The EC2 instances need to use an Amazon Elastic File System (Amazon EFS) file system as a storage backend. The Amazon EFS Container Storage Interface (CSI) driver is installed on the EKS cluster.
When the DevOps engineer starts the application, the EC2 instances do not mount the EFS file system.
Which solutions will fix the problem? (Select THREE.)

A. Switch the EKS nodes from Amazon EC2 to AWS Fargate.
B. Add an inbound rule to the EFS file system's security group to allow NFS traffic from the EKS cluster.
C. Create an IAM role that allows the Amazon EFS CSI driver to interact with the file system.
D. Set up AWS DataSync to configure file transfer between the EFS file system and the EKS nodes.
E. Create a mount target for the EFS file system in the subnet of the EKS nodes.
F. Disable encryption on the EFS file system.

Explanation:
Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer Documents Only:
Mounting EFS to EC2-backed EKS nodes requires:
NFS (port 2049) open from nodes to EFS (Security Group rule).
Mount targets in each subnet/AZ where nodes reside.
IAM role for the EFS CSI driver with elasticfilesystem:ClientMount and ClientRootAccess permissions.
These are the standard setup requirements in “Using the Amazon EFS CSI Driver with Amazon EKS.”

Question#3

A company is using AWS CodeDeploy to automate software deployment.
The deployment must meet these requirements:
• A number of instances must be available to serve traffic during the deployment Traffic must be balanced across those instances, and the instances must automatically heal in the event of failure.
• A new fleet of instances must be launched for deploying a new revision automatically, with no manual provisioning.
• Traffic must be rerouted to the new environment to half of the new instances at a time. The deployment should succeed if traffic is rerouted to at least half of the instances; otherwise, it should fail.
• Before routing traffic to the new fleet of instances, the temporary files generated during the deployment process must be deleted.
• At the end of a successful deployment, the original instances in the deployment group must be deleted immediately to reduce costs.
How can a DevOps engineer meet these requirements?

A. Use an Application Load Balancer and an in-place deployment. Associate the Auto Scaling group with the deployment group. Use the Automatically copy Auto Scaling group option. and use CodeDeployDefault.OneAtAtime as the deployment configuration. Instruct AWS CodeDeploy to terminate the original instances in the deployment group, and use the AllowTraffic hook within appspec.yml to delete the temporary files.
B. Use an Application Load Balancer and a blue/green deployment. Associate the Auto Scaling group and Application Load Balancer target group with the deployment group. Use the Automatically copy Auto Scaling group option, create a custom deployment configuration with minimum healthy hosts defined as 50%. and assign the configuration to the deployment group. Instruct AWS CodeDeploy to terminate the original instances in the deployment group, and use the BeforeBlockTraffic hook within appspec.yml to delete the temporary files.
C. Use an Application Load Balancer and a blue/green deployment. Associate the Auto Scaling group and the Application Load Balancer target group with the deployment group. Use the Automatically copy Auto scaling group option, and use CodeDeployDefault.HalfAtAtime as the deployment configuration. Instruct AWSCodeDeploy to terminate the original instances in the deployment group, and use the BeforeAlIowTraffic hook within appspec.yml to delete the temporary tiles.
D. Use an Application Load Balancer and an in-place deployment. Associate the Auto Scaling group and Application Load Balancer target group with the deployment group. Use the Automatically copy Auto Scaling group option, and use CodeDeployDefaulLAIIatOnce as a deployment configuration. Instruct AWS CodeDeploy to terminate the original instances in the deployment group, and use the BlockTraffic hook within appspec.yml to delete the temporary files.

Explanation:
Step 1: Use a Blue/Green Deployment Strategy
A blue/green deployment strategy is necessary to meet the requirement of launching a new fleet of instances for each deployment and ensuring availability. In a blue/green deployment, the new version (green environment) is deployed to a separate set of instances, while the old version (blue environment) remains active. After testing the new version, traffic can be gradually shifted. Action: Use AWS CodeDeploy's blue/green deployment configuration.
Why: Blue/green deployment minimizes downtime and ensures that traffic is shifted only to healthy instances.
Reference: AWS documentation on Blue/Green Deployment.
Step 2: Use an Application Load Balancer and Auto Scaling Group
The Application Load Balancer (ALB) is essential to balance traffic across multiple instances, and Auto Scaling ensures the deployment scales automatically to meet demand.
Action: Associate the Auto Scaling group and Application Load Balancer target group with the deployment group.
Why: This configuration ensures that traffic is evenly distributed and that instances automatically scale based on traffic load.
Reference: AWS documentation on Deploying with Auto Scaling and Load Balancing.
Step 3: Use Custom Deployment Configuration
The company requires that traffic be rerouted to at least half of the instances to succeed. AWS CodeDeploy allows you to configure custom deployment settings with specific thresholds for healthy hosts.
Action: Create a custom deployment configuration where 50% of the instances must be healthy.
Why: This ensures that the deployment continues only if at least 50% of the new instances are healthy.
Reference: AWS documentation on Deployment Configurations.
Step 4: Clean Temporary Files Using Hooks
Before routing traffic to the new environment, the temporary files generated during the deployment must be deleted. This can be achieved using the BeforeAllowTraffic hook in the appspec.yml file. Action: Use the BeforeAllowTraffic lifecycle event hook to clean up temporary files before routing traffic to the new environment.
Why: This ensures that the environment is clean before the new instances start serving traffic.
Reference: AWS documentation on AppSpec File Hooks.
Step 5: Terminate Original Instances After Deployment
After a successful deployment, AWS CodeDeploy can automatically terminate the original instances (blue environment) to save costs.
Action: Instruct AWS CodeDeploy to terminate the original instances after the new instances are
healthy.
Why: This helps in cost reduction by removing unused instances after the deployment.
Reference: AWS documentation on Terminate Old Instances.
This corresponds to Option C: Use an Application Load Balancer and a blue/green deployment. Associate the Auto Scaling group and the Application Load Balancer target group with the deployment group. Use the Automatically copy Auto Scaling group option, and use CodeDeployDefault.HalfAtATime as the deployment configuration. Instruct AWS CodeDeploy to terminate the original instances in the deployment group, and use the BeforeAllowTraffic hook within appspec.yml to delete the temporary files.

Question#4

A company builds a container image in an AWS CodeBuild project by running Docker commands. After the container image is built, the CodeBuild project uploads the container image to an Amazon S3 bucket. The CodeBuild project has an IAM service role that has permissions to access the S3 bucket.
A DevOps engineer needs to replace the S3 bucket with an Amazon Elastic Container Registry (Amazon ECR) repository to store the container images. The DevOps engineer creates an ECR private image repository in the same AWS Region of the CodeBuild project. The DevOps engineer adjusts the IAM service role with the permissions that are necessary to work with the new ECR repository. The DevOps engineer also places new repository information into the docker build command and the docker push command that are used in the buildspec.yml file.
When the CodeBuild project runs a build job, the job fails when the job tries to access the ECR repository.
Which solution will resolve the issue of failed access to the ECR repository?

A. Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get-login-password AWS CLI command to obtain an authentication token. Update the docker login command to use the authentication token to access the ECR repository.
B. Add an environment variable of type SECRETS_MANAGER to the CodeBuild project. In the environment variable, include the ARN of the CodeBuild project's IAM service role. Update the buildspec.yml file to use the new environment variable to log in with the docker login command to access the ECR repository.
C. Update the ECR repository to be a public image repository. Add an ECR repository policy that allows the IAM service role to have access.
D. Update the buildspec.yml file to use the AWS CLI to assume the IAM service role for ECR operations. Add an ECR repository policy that allows the IAM service role to have access.

Explanation:
Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get-login-password AWS CLI command to obtain an authentica-tion token. Update the docker login command to use the authentication token to access the ECR repository.
This is the correct solution. The aws ecr get-login-password AWS CLI command retrieves and displays an authentication token that can be used to log in to an ECR repository. The docker login command can use this token as a password to authenticate with the ECR repository. This way, the CodeBuild project can push and pull images from the ECR repository without any errors. For more information, see Using Amazon ECR with the AWS CLI and get-login-password.

Question#5

A company hosts a security auditing application in an AWS account. The auditing application uses an IAM role to access other AWS accounts. All the accounts are in the same organization in AWS Organizations.
A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application's IAM role. The company needs to prevent any modification to the auditing application's IAM role by any entity other than a trusted administrator IAM role.
Which solution will meet these requirements?

A. Create an SCP that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.
B. Create an SCP that includes an Allow statement for changes to the auditing application's IAM role by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM principals. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role.
C. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the audited AWS accounts.
D. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the auditing application's IAM role in the AWS accounts.

Disclaimer

This page is for educational and exam preparation reference only. It is not affiliated with Amazon, AWS Certified AI Practitioner, or the official exam provider. Candidates should refer to official documentation and training for authoritative information.

Exam Code: DOP-C02Q & A: 424 Q&AsUpdated:  2026-04-10

  Get All DOP-C02 Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Payment Methods

Payment Methods

Copyright © 2026 Certquestionbank.com Limited. All Rights Reserved.