Free AWS DOP-C02 Actual Exam Questions

It’s D because using EventBridge to catch the CreateAccount event and then triggering a Systems Manager Automation runbook gives a clear, automated way to enable AWS Config right after an account is made. Unlike Lambda (option A), Automation runbooks can handle more complex steps and error handling, making them better suited for this kind of setup. Options B and C miss the automatic trigger or don’t actually enable Config themselves, so they’re less complete solutions.

B tbh, stack sets are designed to handle automatic deployments across new accounts in an organization, which fits the scale here better than manual triggers or SCPs that don’t enable Config themselves.

Maybe A makes sense since exports keep the stacks independent and allow both teams to review changes separately. Passing resource IDs as parameters like D feels messier and more manual.

A/D? Exporting outputs (A) keeps teams independent, but passing IDs as parameters (D) also sounds simple and clean. Not sure if stack sets or nested stacks fit well with separate reviews here.

It’s B for sure because Redshift audit logs go to S3 by default. Then I’d pick E because using a Lambda with Athena to query those logs makes sense for building a custom dashboard. D sounds easy but I don’t think CloudWatch gets Redshift logs directly, so the widget wouldn’t have the data. Plus, Lambda gives more flexibility to process and filter the logs before showing them. So B and E seem like the right pair to me.

Option B handles audit logs to S3, and D lets us visualize them easily on CloudWatch.

Guessing A and E here—reserved concurrency (A) can make sure Lambdas don't get throttled at peak, and RDS Proxy (E) would handle the DB connection overhead, which seems to be the main cause of latency.

Option A could help by setting higher reserved concurrency to ensure enough Lambda instances can run simultaneously, preventing throttling during the burst. Also, option D might be worth considering—if the DB connections are being initialized outside the handler, refactoring to open connections inside the handler could avoid unnecessary initialization on cold starts. Combining these could reduce latency during spikes even if provisioned concurrency and RDS Proxy are not fully implemented yet. Still, I think A and D are good independent measures to improve scalability in this setup.

B/D for sure. B avoids managing long-term credentials by using IAM Roles Anywhere, and D simplifies dependency management with upstream connections. The other choices add unnecessary complexity or overhead.

This one feels like B and D. B makes sense because IAM Roles Anywhere lets the on-prem pipeline assume a role securely without managing long-lived creds, which reduces operational work. And D is the cleanest way to handle public repo dependencies by setting them as upstream connections in CodeArtifact, so you don’t have to manually sync or maintain them yourself. Other options add unnecessary steps or complexity, but B and D keep it simple and scalable.

B imo, it combines permission denial with automated compliance checks and alerts.

This is tricky but I’d go with C because it’s about removing permissions from developers completely, and the scheduled Lambda keeps checking for violations regularly. That double check feels safer than just relying on Config alerts. C

I think D fits best here. Using the readiness check with the ELB target group ARN gives a more targeted way to control traffic to specific AZs, which seems safer than just turning off cross-zone load balancing. It ensures that only healthy targets get traffic during failover, which is what they want.

B/C? B feels right since cross-zone is set on the target group, and ARC can shift traffic away from the bad AZ. But C could work if ARC handles ALB DNS-level failover cleanly.

B tbh seems off since AWS Config is more about compliance checks, not real-time event triggers for stack updates. EventBridge in C is more direct and real-time for this use case.

It’s C. Using an EventBridge rule to catch the UPDATE_COMPLETE event is more precise and doesn’t depend on how the SNS topic is configured or whether it’s shared with other stacks. This way, the Lambda runs only when that specific event happens, avoiding unnecessary triggers. Option D depends a lot on how the SNS topic is set up, and if it’s shared or not filtered properly, the Lambda could fire off for unrelated events. EventBridge feels like the cleaner, more direct approach here.

Probably A makes the most sense here since AWS Config rules continuously monitor all instances, not just new ones, so it can catch and remediate existing non-compliant instances by terminating them automatically.

Maybe D could work since it reacts right when an instance launches, checking the metadata version immediately. If it finds IMDSv1 is enabled, the Lambda can shut down that instance fast. That way, you catch non-compliant instances as soon as they come up. A relies on AWS Config which is good for ongoing compliance but might not catch things instantly at launch. Plus, D’s event-driven approach feels more direct for this kind of enforcement without needing extra setup like Systems Manager Automation. Just depends on how quickly you want to react after instance creation.

It’s definitely E for the manual approval since it’s made exactly for that kind of sign-off process. For the second pick, I’d go with A because CloudWatch Logs give you detailed, timestamped records of all pipeline actions, which fits the requirement to record and retain the approval. CloudTrail (C) is more about API calls and might not capture the manual approval details as clearly as CloudWatch does. B sounds useful but it’s not as explicit about capturing approvals as logs are. So E and A seem like a solid combo here.

E imo for the manual approval part since it's designed for explicit sign-offs. For retention, B works well because storing pipeline stage data in S3 keeps a clear record of changes over time.

B vs C? Both use blue/green which fits the new fleet and traffic shifting needs. B sets a custom min healthy hosts at 50% which matches the “half the instances” requirement, but the BeforeBlockTraffic hook might run too early since traffic is still flowing. C uses CodeDeployDefault.HalfAtAtime which is designed for shifting traffic half at a time and has the BeforeAllowTraffic hook to delete temp files just before traffic switches, which seems cleaner. C also mentions immediate termination of old instances. I’d pick C over B mainly because of better timing on deleting temp files and deployment

D imo doesn’t work because in-place deployments can’t launch a new fleet automatically, which is a key requirement here. Also, CodeDeployDefault.AllAtOnce would shift all traffic at once, not half at a time. That conflicts with the staged traffic rerouting. So the option’s deployment type and strategy seem off for the requirements. The hooks timing for deleting temp files also feels less precise compared to BeforeAllowTraffic for cleaning right before traffic hits new instances. Overall, D misses the automatic fleet launch and controlled traffic shift parts, which are pretty critical here.

It’s A because Control Tower guardrails automate compliance checks without extra setup.

A, Control Tower guardrails handle this natively, no custom code needed.

It’s C to avoid failures, plus A and B to fix the AMI issue properly.

Maybe C, A, and B. C to scale down the group to zero to avoid launch failures, then A and B to create and apply a new launch template with the correct AMI before scaling back up.

Maybe A and E. The backup vault in the new account needs to trust the primary account, and the new account’s KMS key policy must allow the primary account’s AWS Backup service to use it for encryption.

Maybe try A and E. The backup vault in the new account definitely needs to allow the primary account access so it can store backups there, and since the new account’s KMS key encrypts those backups, its key policy must grant the primary account permission to use that key. Without that, the copy can’t happen. The other options seem off because the backup vault and KMS key in the primary account don’t control access for storing backups in the new account’s vault.

This seems like a good case for A and D. The Step Functions can do the PII redaction and copying with proper KMS permissions, while EventBridge can schedule the workflow weekly in the dev account.

C/E? Batch Operations can handle copying at scale, and Lambda redacts PII before access in dev. Scheduling with EC2 cron keeps it automated without added complexity.