Free Practice Questions for Amazon Web Services DOP-C02 Exam

The requirements clearly indicate the need for modern CodePipeline capabilities , strict execution ordering, Git tag–based triggers, and loose coupling between pipelines. CodePipeline V2 introduces execution modes such as QUEUED and SUPERSEDED , along with native support for advanced trigger filtering when using AWS CodeConnections.

The requirement that the pipeline must wait for the previous run to finish directly maps to QUEUED mode , which ensures that pipeline executions run sequentially rather than replacing in-progress executions. SUPERSEDED mode would cancel the running execution, which violates the requirement.

Triggering the pipeline when new Git tags are pushed is supported through CodePipeline V2 trigger filters using refs/tags/*. Branch-based triggers would not satisfy this condition.

Finally, the requirement that an existing deployment pipeline runs in response to new container images is best met using Amazon EventBridge , which natively emits events for ECR image push actions . EventBridge allows decoupled, event-driven orchestration between pipelines without tight dependencies or custom scripting. This is the AWS-recommended approach for pipeline-to-pipeline coordination.

Options C and D rely on CodePipeline V1 , which lacks modern trigger filtering and execution control. Option B incorrectly uses SUPERSEDED mode and branch-based triggers.

Therefore, Option A correctly combines CodePipeline V2 , QUEUED execution mode , tag-based triggers , and EventBridge-driven pipeline chaining , meeting all requirements with best practices and minimal operational complexity.

https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html

Mounting EFS to EC2-backed EKS nodes requires:

NFS (port 2049) open from nodes to EFS (Security Group rule).

Mount targets in each subnet/AZ where nodes reside.

IAM role for the EFS CSI driver with elasticfilesystem:ClientMount and ClientRootAccess permissions. These are the standard setup requirements in “Using the Amazon EFS CSI Driver with Amazon EKS.”

because of " as few maintenance tasks as possible on the underlying infrastructure " . Fargate does that better than " one centralized application server "

To meet the requirements of ensuring that flow logs remain configured for all existing and new VPCs in the AWS account, the company should use AWS Config and automatic remediation. AWS Config is a service that enables customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Config continuously monitors and records the configuration changes of the AWS resources and evaluates them against desired configurations. Customers can use AWS Config rules to define the desired configuration state of their AWS resources and trigger actions when a resource configuration violates a rule.

One of the AWS Config rules that customers can use is vpc-flow-logs-enabled, which checks whether VPC flow logs are enabled for all VPCs in an AWS account. Customers can also configure automatic remediation for this rule, which means that AWS Config will automatically enable VPC flow logs for any VPCs that do not have them enabled. Customers can specify the destination (CloudWatch Logs or S3) and the traffic type (all, accept, or reject) for the flow logs as remediation parameters. By using AWS Config and automatic remediation, the company can ensure that flow logs remain configured for all existing and new VPCs in its AWS account, regardless of who creates them or how they are created.

The other options are not correct because they do not meet the requirements or follow best practices. Adding the resource to the CloudFormation stack that creates the VPCs is not a sufficient solution because it will only work for VPCs that are created by using the CloudFormation stack. It will not work for VPCs that are created by using other methods, such as the console or the API. Creating an organization in AWS Organizations and creating an SCP to prevent users from modifying VPC flow logs is not a good solution because it will not ensure that flow logs are enabled for all VPCs in the first place. It will only prevent users from disabling or changing flow logs after they are enabled. Creating an IAM policy to deny the use of API calls for VPC flow logs and attaching it to all IAM users is not a valid solution because it will prevent users from enabling or disabling flow logs at all. It will also not work for VPCs that are created by using other methods, such as the console or CloudFormation.

1: AWS::EC2::FlowLog - AWS CloudFormation

2: Amazon VPC Flow Logs extends CloudFormation Support to custom format subscriptions, 1-minute aggregation intervals and tagging

3: Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud

About AWS Config - AWS Config

vpc-flow-logs-enabled - AWS Config

Remediate Noncompliant Resources with AWS Config Rules - AWS Config

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

The correct answer is B because AWS Config can continuously evaluate the account-level S3 Block Public Access configuration by using a managed rule. When the configuration becomes noncompliant, AWS Config can trigger automatic remediation through an AWS Systems Manager Automation runbook to restore the required settings.

This solution directly satisfies both requirements:

Detect changes to account-level S3 public access settings.

Automatically revert those changes so that all public access is blocked again.

Why the other options are incorrect:

A. Security Hub is primarily for aggregated security findings and controls visibility. It is not the most direct or standard service for continuous configuration evaluation with automatic remediation of this specific setting.

C. An SCP can restrict permissions, but it does not automatically detect and revert changes to S3 Block Public Access settings.

D. Amazon Macie is for discovering and protecting sensitive data, not for continuously enforcing and remediating S3 Block Public Access account settings.

" The firewall appliance sends logs to Amazon CloudWatch Logs and includes event severities of CRITICAL, HIGH, MEDIUM, LOW, and INFO "

AWS CodeDeploy natively supports automatic rollback based on CloudWatch alarms . To use this capability, you define an alarm that indicates unhealthy behavior (for example, increasing application error rate) and attach that alarm to the deployment group in CodeDeploy. If the alarm goes into ALARM state during or after a deployment, CodeDeploy automatically rolls back to the last known good revision when auto rollback is enabled.

Option A correctly implements this pattern:

Derive a CloudWatch metric from application logs (e.g., count of error-level log entries or HTTP 5xx responses).

Create a CloudWatch alarm on that metric with appropriate thresholds.

Configure the deployment group to use the alarm as part of its alarm configuration and enable auto rollback .

Option B uses CodeDeploy agent logs, which may not directly reflect true application health and couples rollback logic tightly to deployment internals rather than application behavior. Options C and D implement custom rollback logic with Lambda and EventBridge, which re-create behavior that CodeDeploy already provides natively and add unnecessary operational and code complexity.

Therefore, Option A is the simplest and most aligned with built-in CodeDeploy features for automated rollback based on application errors.

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises. SSM parameter store and AWS Secret manager are both a secure option. However, Secrets manager is more flexible and has more options like password generation. Reference: https://www.1strategy.com/blog/2019/02/28/aws-parameter-store-vs-aws-secrets-manager/

CodeDeploy supports TimeBasedLinear traffic shifting for ECS blue/green deployments. Traffic increments by linearPercentage every linearInterval until 100%. This provides zero-downtime gradual rollout — as per CodeDeploy ECS Blue/Green Traffic Shifting documentation.