Free Practice Questions for Amazon Web Services DOP-C02 Exam

To implement a more reliable deployment solution, a DevOps engineer should take the following actions:

Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as a source provider. Configure pipeline stages that run the CodeBuild project in parallel to build and test the application. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action. This action will improve the deployment reliability by automating the entire process from code commit to deployment, reducing human errors and inconsistencies. By running the build and test stages in parallel, the pipeline can also speed up the delivery time and provide faster feedback. By using CodeDeploy as the deployment action, the pipeline can leverage the features of CodeDeploy, such as traffic shifting, health checks, rollback, and deployment configuration123

Create an AWS CodeDeploy application and a deployment group to deploy the packaged code to the EC2 instances. Configure the ALB for the deployment group. This action will improve the deployment reliability by using CodeDeploy to orchestrate the deployment across multiple EC2 instances behind an ALB. CodeDeploy can perform blue/green deployments or in-place deployments with traffic shifting, which can minimize downtime and reduce risks. CodeDeploy can also monitor the health of the instances during and after the deployment, and automatically roll back if any issues are detected. By configuring the ALB for the deployment group, CodeDeploy can register and deregister instances from the load balancer as needed, ensuring that only healthy instances receive traffic45

The other options are not correct because they do not improve the deployment reliability or follow best practices. Creating separate pipeline stages that run a CodeBuild project to build and then test the application is not a good option because it will increase the pipeline execution time and delay the feedback loop. Creating individual Lambda functions that use CodeDeploy instead of Systems Manager to run build, test, and deploy actions is not a valid option because it will add unnecessary complexity and cost to the solution. Lambda functions are not designed for long-running tasks such as building or deploying applications. Creating an Amazon S3 bucket and modifying the CodeBuild project to store the packages in the S3 bucket instead of in CodeArtifact is not a necessary option because it will not affect the deployment reliability. CodeArtifact is a secure, scalable, and cost-effective package management service that can store and share software packages for application development67

1: What is AWS CodePipeline? - AWS CodePipeline

2: Create a pipeline in AWS CodePipeline - AWS CodePipeline

3: Deploy an application with AWS CodeDeploy - AWS CodePipeline

4: What is AWS CodeDeploy? - AWS CodeDeploy

5: Configure an Application Load Balancer for your blue/green deployments - AWS CodeDeploy

6: What is AWS Lambda? - AWS Lambda

7: What is AWS CodeArtifact? - AWS CodeArtifact

Step 1: Using AWS CloudFormation with ECS Blue/Green Deployments

The requirement is to implement an ECS blue/green deployment where traffic is shifted gradually. AWS CodeDeploy supports such blue/green deployments with predefined configurations, like ECSLinear10PercentEvery1Minute, which shifts 10% of traffic every minute.

Action: Use the AWS::CodeDeployBlueGreen transform and the appropriate hooks in the CloudFormation template. The ECSLinear10PercentEvery1Minute deployment configuration meets the requirement of shifting 10% of traffic every minute.

Why: The transform and hook parameters in CloudFormation are essential for configuring the blue/green deployment with the desired traffic-shifting behavior.

 Stack Export and Import:

Use the Export feature in CloudFormation to share outputs from one stack (e.g., database resources) and use them as inputs in another stack (e.g., web application resources).

 Steps to Create Stack Export:

Define the resources in the database CloudFormation template and use the Outputs section to export necessary values.

Outputs:

DBInstanceEndpoint:

Value: !GetAtt DBInstance.Endpoint.Address

Export:

Name: DBInstanceEndpoint

Steps to Import into Web Application Stack:

In the web application CloudFormation template, use the ImportValue function to import these exported values.

Resources:

MyResource:

Type: "AWS::SomeResourceType"

Properties:

SomeProperty: !ImportValue DBInstanceEndpoint

Resource-Level Change-Set Reviews:

Both teams can continue using their respective review processes, as changes to each stack are managed independently.

Use CloudFormation change sets to preview changes before deploying.

By exporting resources from the database stack and importing them into the web application stack, both teams can maintain their separate review and lifecycle management processes while sharing necessary resources.

Step 1: Understanding Lambda Permissions and AWS Config

The custom AWS Config rule evaluates resources and invokes an AWS Lambda function when a compliance check is triggered. For AWS Config to invoke the Lambda function, it requires permission to do so.

Issue: The Lambda function fails to execute because AWS Config doesn't have permission to invoke it.

Action: Modify the resource-based policy of the Lambda function to grant AWS Config permission to invoke the Lambda function.

Why: Without this permission, AWS Config cannot trigger the Lambda function, which is why the evaluation fails.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html?icmpid=docs_orgs_console

SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Options C and D are not as effective because IAM permission boundaries are applied to IAM entities (users, groups, and roles), not the account itself, and must be applied to all IAM entities in the account.

To restrict access to S3 buckets so that only IAM principals from within the AWS Organization can access them, an SCP (Service Control Policy) with conditions using the aws:PrincipalAccount or preferably aws:PrincipalOrgID can be applied at the OU level.

SCPs restrict the maximum permissions for IAM entities in member accounts and can be used to enforce access control policies across accounts.

The aws:PrincipalAccount condition restricts access to principals from specific accounts, while aws:PrincipalOrgID restricts based on the organization ID.

IAM permissions boundaries (Option B) cannot be applied organization-wide and do not enforce restrictions across accounts.

AWS RAM (Option C) is for sharing resources but does not restrict S3 bucket access based on organizational principals.

There is no such thing as an RCP in AWS Organizations (Option D is invalid).

 Turn off cross-zone load balancing on the ALB's target group:

Cross-zone load balancing distributes traffic evenly across all registered targets in all enabled Availability Zones. Turning this off will ensure that each target group only handles requests from its respective Availability Zone.

To disable cross-zone load balancing:

Go to the Amazon EC2 console.

Navigate to Load Balancers and select the ALB.

Choose the Target Groups tab, select the target group, and then select the Group details tab.

Click on Edit and turn off Cross-zone load balancing.

 Use Amazon Route 53 Application Recovery Controller to start a zonal shift away from the Availability Zone:

Amazon Route 53 Application Recovery Controller provides the ability to control traffic flow to ensure high availability and disaster recovery.

By using Route 53 Application Recovery Controller, you can perform a zonal shift to redirect traffic away from the unhealthy Availability Zone.

To start a zonal shift:

Configure Route 53 Application Recovery Controller by creating a cluster and control panel.

Create routing controls to manage traffic shifts between Availability Zones.

Use the routing control to shift traffic away from the affected Availability Zone.

https://blog.fourninecloud.com/auto-scaling-lifecycle-hooks-to-export-server-logs-when-instance-terminating-58e06d7c0d6a

When you create a pipeline from CodePipeline during the step-by-step it creates a CloudWatch Event rule for a given branch and repo

like this:

{

"source": [

"aws.codecommit"

],

"detail-type": [

"CodeCommit Repository State Change"

],

"resources": [

"arn:aws:codecommit:us-east-1:xxxxx:repo-name"

],

"detail": {

"event": [

"referenceCreated",

"referenceUpdated"

],

"referenceType": [

"branch"

],

"referenceName": [

"master"

]

}

}

https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-trigger-source-repo-changes-console.html

Step 1: Enabling AWS Config for the OrganizationThe first step is to enable AWS Config across the AWS Organization. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. By enabling AWS Config, you can ensure that all S3 buckets within the organization are tracked and evaluated according to compliance rules.

Action: Turn on AWS Config for all AWS accounts in the organization.

Why: AWS Config will help monitor all resources (like S3 buckets) in real time to detect whether they are compliant with security policies.