Free Amazon Web Services DOP-C02 Practice Exam with Questions & Answers | Set: 13

Name: How to Pass DOP-C02 Exams
Brand: Examstrack
SKU: dop-c02
Price: 31.5 USD
Availability: InStock

Questions 121

A production account has a requirement that any Amazon EC2 instance that has been logged in to manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with the Amazon CloudWatch Logs agent configured.

How can this process be automated?

Options:

Create a CloudWatch Logs subscription to an AWS Step Functions application. Configure an AWS Lambda function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a second Lambda function once a day that will terminate all instances with this tag.

Create an Amazon CloudWatch alarm that will be invoked by the login event. Send the notification to an Amazon Simple Notification Service (Amazon SNS) topic that the operations team is subscribed to, and have them terminate the EC2 instance within 24 hours.

Create an Amazon CloudWatch alarm that will be invoked by the login event. Configure the alarm to send to an Amazon Simple Queue Service (Amazon SQS) queue. Use a group of worker instances to process messages from the queue, which then schedules an Amazon EventBridge rule to be invoked.

Create a CloudWatch Logs subscription to an AWS Lambda function. Configure the function to add a tag to the EC2 instance that produced the login event and mark the instance to be decommissioned. Create an Amazon EventBridge rule to invoke a daily Lambda function that terminates all instances with this tag.

Amazon Web Services DOP-C02 Premium Access

Kelvin

26-Jan-2026

Success was guaranteed with examstrack.com's help. I aced my DOP-C02 exam with flying colors.

Questions 122

A company deploys a web application on Amazon EC2 instances that are behind an Application Load Balancer (ALB). The company stores the application code in an AWS CodeConnections compatible Git repository.

When the company merges code to the main branch, an AWS CodeBuild project is initiated. The CodeBuild project compiles the code, stores the packaged code in AWS CodeArtifact, and invokes AWS Systems Manager Run Command to deploy the packaged code to the EC2 instances.

Previous deployments have resulted in defects, EC2 instances that were not running the latest version of the packaged code, and inconsistencies between instances. A DevOps engineer needs to improve the reliability of the deployment solution.

Which combination of actions will meet this requirement? (Select TWO.)

Options:

Create a pipeline in AWS CodePipeline that uses the Git repository as the source provider. Configure the pipeline to have parallel build and test stages. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action.

Create a pipeline in AWS CodePipeline that uses the Git repository as the source provider. Configure the pipeline to have a build stage followed by a test stage. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action.

Create an AWS CodeDeploy application and a deployment group to deploy the packaged code to the EC2 instances. Configure the ALB for the deployment group.

Create individual AWS Lambda functions that use AWS CodeDeploy instead of Systems Manager to run build, test, and deploy actions.

Create an Amazon S3 bucket. Modify the CodeBuild project to store the packages in the S3 bucket instead of in CodeArtifact. Use deploy actions in CodeDeploy to deploy.

Questions 123

A company runs applications in AWS accounts that are in an organization in AWS Organizations The applications use Amazon EC2 instances and Amazon S3.

The company wants to detect potentially compromised EC2 instances suspicious network activity and unusual API activity in its existing AWS accounts and in any AWS accounts that the company creates in the future When the company detects one to these events the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to send a notification to its operational support team for investigation and remediation.

Which solution will meet these requirements in accordance with AWS best practices?

Options:

In the organization's management account configure an AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account add the company's existing AWS accounts to GuardDuty as members In the GuardDuty administrator account create an Amazon EventBridge rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic.

In the organization's management account configure Amazon GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts Create an AWS Cloud Formation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge rule Configure the rule with an event pattern to match. GuardDuty events and to forward matching events to the SNS topic. Configure the Cloud Formation stack set t

In the organization's management account. create an AWS CloudTrail organization trail Activate the organization trail in all AWS accounts in the organization. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure AWS Security Hub for the organization Create an Amazon EventBridge rule with an even pattern to match Security Hub events and to forward matching events to the SNS topic.

In the organization's management account configure an AWS account as the AWS CloudTrail administrator account in the CloudTrail administrator account create a CloudTrail organization trail. Add the company's existing AWS accounts to the organization trail Create an SCP that enables VPC Flow Logs in each account in the organization. Configure AWS Security Hub for the organization. Create an Amazon EventBridge rule with an event pattern to ma

Questions 124

A company uses AWS Control Tower and Organizations for a multi-account environment. It needs to create new accounts and ensure they receive a consistent baseline configuration.

Which solution meets the requirement with the least overhead?

Options:

Use Account Factory Customization (AFC) blueprints for baseline setup.

Use Account Factory + StackSets post-setup.

Use Organizations with Lambda applying baseline via access role.

Use Organizations + StackSets manually.

Questions 125

A DevOps engineer is working on a member account in an organization in AWS Organizations with all features enabled. The account has sensitive data stored in Amazon S3 buckets.

The DevOps engineer must ensure that all public access to S3 buckets in the account is blocked. If the account-level S3 Block Public Access settings change in the future, the changes must be reverted automatically so that all public access is blocked again.

Which solution meets these requirements?

Options:

Enable AWS Security Hub in the account. Enable the Security Hub control to evaluate the account-level Block Public Access settings. Enable automated remediation for the Security Hub control.

Set up AWS Config in the account. Create an AWS Config managed rule that evaluates the account-level Block Public Access settings. Enable automatic remediation for the rule by using a predefined AWS Systems Manager runbook to configure S3 Block Public Access settings.

In the organization’s management account, create an SCP that denies S3 actions from outside the AWS account. Attach the SCP to the member account.

Enable Amazon Macie in the account. Create an Amazon EventBridge rule with an event pattern that matches Macie policy findings. Configure the rule with an EventBridge target to run a predefined AWS Systems Manager runbook to configure S3 Block Public Access settings.

Answer:

Explanation:

Option B is the only choice that directly satisfies both requirements:

Continuously evaluate the account-level S3 Block Public Access setting

AWS Config is designed to record configuration state and evaluate resources/settings against rules over time.

A Config rule (managed rule) can check whether the account-level “S3 Block Public Access” settings are configured as required (i.e., blocking public access).

Automatically revert drift (auto-remediate) if someone changes the setting later

AWS Config Remediation can automatically trigger an AWS Systems Manager Automation runbook when the rule becomes NON_COMPLIANT.

Using an SSM Automation document/runbook that sets S3 account-level Block Public Access back to the required “blocked” configuration ensures that any future change is corrected automatically, restoring compliance without manual intervention.

Why the other options don’t fully meet the requirement:

A (Security Hub): Security Hub primarily aggregates findings and checks controls. While it can integrate with automation, AWS Config is the standard service for configuration drift detection + automatic remediation loops for account-level posture settings. Security Hub is not the most direct “detect config drift and auto-fix” mechanism for an account setting in the way Config remediation is.

C (SCP): An SCP can restrict API actions, but it doesn’t “revert” a changed S3 Block Public Access configuration; it only prevents/limits what actions can be called. Also, “deny S3 actions from outside the account” is not the same as enforcing Block Public Access settings at the account level.

D (Macie + EventBridge): Macie focuses on data discovery and sensitive data findings, not enforcing or continuously remediating S3 account-level Block Public Access configuration drift. Triggering remediation off Macie findings is indirect and not aligned to “setting changed → immediately revert.”

Exam Code: DOP-C02

Certification Provider: Amazon Web Services

Exam Name: AWS Certified DevOps Engineer - Professional

Last Update: Feb 21, 2026

Questions: 419

How to Pass DOP-C02 Exams

PDF + Testing Engine
~~$164.99~~ $49.5 Add to Cart

Testing Engine
~~$124.99~~ $37.5 Add to Cart

PDF (Q&A)
~~$104.99~~ $31.5 Add to Cart

Amazon Web Services Related Exams

How to pass Amazon Web Services SAP-C02 - AWS Certified Solutions Architect - Professional Exam

How to pass Amazon Web Services AIP-C01 - AWS Certified Generative AI Developer - Professional Exam

DVA-C02 - AWS Certified Developer - Associate

MLS-C01 - AWS Certified Machine Learning - Specialty

SCS-C02 - AWS Certified Security - Specialty

SOA-C03 - AWS Certified CloudOps Engineer - Associate

AXS-C01 - AWS Certified Alexa Skill Builder-Specialty

Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)

MLA-C01 - AWS Certified Machine Learning Engineer - Associate

CLF-C02 - AWS Certified Cloud Practitioner

SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)

SCS-C03 - AWS Certified Security – Specialty

AIF-C01 - AWS Certified AI Practitioner Exam

ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty

GDP-C01 - AWS Certified Generative AI Developer - Professional

Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.

Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Navigation:

examstrack logo

Hot Vendors:

Free Amazon Web Services DOP-C02 Practice Exam with Questions & Answers | Set: 13

How to Pass DOP-C02 Exams

Amazon Web Services Related Exams

Amazon Web Services Free Exams