Free Practice Questions for Amazon Web Services DOP-C02 Exam

The “fan-out” batch build type in AWS CodeBuild allows running multiple builds in parallel for different subsets of tests, reducing overall test execution time. CodeBuild then aggregates the results into a single consolidated report. This approach is detailed in the AWS documentation under “Batch builds and parallel execution with CodeBuild.”

ALB supports weighted target groups for traffic splitting between versions without DNS-level changes. By attaching multiple target groups (old & beta) to the same ALB listener rule with weights (90/10), partial traffic testing can occur seamlessly. This is the recommended least-change method per Application Load Balancer advanced request routing documentation.

Use custom constructs to encapsulate reusable patterns and deploy separate stacks per microservice for better isolation and environment-specific params. Apply tags programmatically at the app/stack/construct scope with Tags so all resources inherit them. This is the recommended CDK pattern to minimize duplication and maximize reusability.

To add an automated test in AWS CodePipeline that checks the HTTP response code of a deployed application, the most straightforward and operationally efficient method is to create an AWS Lambda function that makes an HTTP request to the application URL, checks the response code, and then reports success or failure back to CodePipeline.

The Lambda function can be invoked as an action in the pipeline stage.

If the response code is not 200 OK, the Lambda function can return a failure, causing the pipeline stage to fail and halt further execution.

Option A’s CloudWatch synthetic canary monitors are useful for ongoing monitoring but are not natively integrated as CodePipeline actions to control pipeline flow.

Option C incorrectly uses CodeDeploy action for testing, which is not designed for this purpose.

Option D introduces unnecessary complexity by deploying API Gateway and Device Farm, which is not required for a simple HTTP status check. Therefore, option B provides a clean, simple, and fully automated way to enforce HTTP response validation within the pipeline.

Reference from AWS Official Documentation:

AWS CodePipeline Custom Actions: " You can create Lambda invoke actions in your pipeline stages to run custom validation or testing functions. " (AWS CodePipeline User Guide - Lambda Actions)

AWS Lambda Function for Health Checks: " Lambda functions can be used to perform health checks or API response validations and report results back to invoking services. " (AWS Lambda Developer Guide)

Using an organization trail with logs centralized in the audit account’s S3 bucket ensures compliance and isolation. An EventBridge rule in the audit account triggers on failed login events (ConsoleLogin failed) and sends SNS notifications in near real time.

This solution will meet the requirements because it will use CloudFormation nested stacks and stack sets to deploy the templates more efficiently and consistently across multiple regions. Nested stacks allow the company to separate out common components and reuse templates, while stack sets allow the company to create stacks in multiple accounts and regions with a single template. The company can also use Amazon SNS to send notifications to the data engineering team whenever a change is made to the templates or the stacks. Amazon SNS is a service that allows you to publish messages to subscribers, such as email addresses, phone numbers, or other AWS services. By using Amazon SNS, the company can ensure that the data engineering team is aware of all changes to the templates and can take appropriate actions if needed. What is Amazon SNS? - Amazon Simple Notification Service

To allow only creation/configuration of service-linked roles , you need a way to tightly scope what IAM actions the developer can perform. The most AWS-appropriate mechanism for “delegate limited IAM admin” is a role with a permissions boundary :

A permissions boundary sets the maximum permissions the role (and any roles it creates, depending on design) can ever have. This is a standard pattern to safely delegate IAM tasks without granting broad IAM administration.

You can define the role’s policy + boundary so the developer can call only the APIs required for service-linked roles (for example actions like creating service-linked roles and passing only allowed AWS service principals), while preventing general role/policy creation outside that scope.

Why the others don’t meet “service-linked roles only”:

A is vague (“common services”) and cross-account access doesn’t inherently restrict to only service-linked roles. It’s also more operational overhead than needed for a single dev account use case.

B PowerUserAccess is far too broad and does not restrict to service-linked roles.

C An SCP with Deny iam:* would block IAM entirely (including what the developer needs). Even if refined, SCPs set account-wide guardrails and are not the right tool to grant a single developer the precise ability to create only service-linked roles.

The correct answer is C. Allowing users to deploy CloudFormation stacks using AWS Service Catalog only and enforcing the use of a launch constraint is the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. AWS Service Catalog is a service that enables organizations to create and manage catalogs of IT services that are approved for use on AWS. A launch constraint is a rule that specifies the role that AWS Service Catalog assumes when launching a product. By using a launch constraint, the DevOps engineer can control the permissions that the users have when launching a product. Using AWS Config rules to detect when resources have drifted from their expected state is the best way to automate the monitoring of the resources. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config rules are custom or managed rules that AWS Config uses to evaluate whether your AWS resources comply with your desired configurations. By using AWS Config rules, the DevOps engineer can track the changes in the resources and identify any non-compliant resources.

Option A is incorrect because allowing users to deploy CloudFormation stacks using a CloudFormation service role only is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. A CloudFormation service role is an IAM role that CloudFormation assumes to create, update, or delete the stack resources. By using a CloudFormation service role, the DevOps engineer can control the permissions that CloudFormation has when acting on the resources, but not the permissions that the users have when launching a stack. Therefore, option A does not prevent the users from launching resources that are not approved by the company. Using CloudFormation drift detection to detect when resources have drifted from their expected state is a valid way to monitor the resources, but it is not as automated and scalable as using AWS Config rules. CloudFormation drift detection is a feature that enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. To use this feature, the DevOps engineer would need to manually initiate a drift detection operation on the stack or the stack resources, and then view the drift status and details in the CloudFormation console or API.

Option B is incorrect because allowing users to deploy CloudFormation stacks using a CloudFormation service role only is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only, as explained in option A. Using AWS Config rules to detect when resources have drifted from their expected state is a valid way to monitor the resources, as explained in option C.

Option D is incorrect because enforcing the use of a template constraint is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. A template constraint is a rule that defines the values or properties that users can specify when launching a product. By using a template constraint, the DevOps engineer can control the parameters that the users can provide when launching a product, but not the permissions that the users have when launching a product. Therefore, option D does not prevent the users from launching resources that are not approved by the company. Using Amazon EventBridge notifications to detect when resources have drifted from their expected state is a less reliable and consistent solution than using AWS Config rules. Amazon EventBridge is a service that enables you to connect your applications with data from a variety of sources. Amazon EventBridge can deliver a stream of real-time data from event sources, such as AWS services, and route that data to targets, such as AWS Lambda functions. However, to use this solution, the DevOps engineer would need to configure the event source, the event bus, the event rule, and the event target for each resource type that needs to be monitored, which is more complex and error-prone than using AWS Config rules.

https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-groups.html

Step 1: Understanding the Deletion FailureThe most likely reason why the CloudFormation stack failed to delete is that the S3 bucket was not empty. AWS CloudFormation cannot delete an S3 bucket that contains objects, so if the website files are still in the bucket, the deletion will fail.

Issue: The S3 bucket is not empty during deletion, preventing the stack from being deleted.

Step 2: Modifying the Custom Resource to Handle DeletionTo mitigate this issue, you can modify the Lambda function associated with the custom resource to automatically empty the S3 bucket when the stack is being deleted. By adding logic to handle the RequestType: Delete event, the function can recursively delete all objects in the bucket before allowing the stack to be deleted.

Action: Modify the Lambda function to recursively delete the objects in the S3 bucket when RequestType is set to Delete.

Why: This ensures that the S3 bucket is empty before CloudFormation tries to delete it, preventing the stack deletion failure.