Free Practice Questions for Amazon Web Services DOP-C02 Exam

ALB natively supports WebSocket protocols and sticky sessions via target group session affinity. Deploying ALBs in multiple regions with cross-zone load balancing ensures high availability and fault tolerance.

Using Route 53 latency-based routing allows users worldwide to connect to the lowest latency region, minimizing delay.

NLBs do not support sticky sessions and WebSocket protocol as well as ALBs do. Combining ALBs and NLBs (Option D) increases complexity. CloudFront (Option C) does not natively support WebSocket sticky sessions.

Option A is the simplest, most effective solution meeting all requirements with least operational overhead.

The CfCT solution is designed for the exact purpose stated in the question. It extends the capabilities of AWS Control Tower by providing you with a way to automate resource provisioning and apply custom configurations across all AWS accounts created in the Control Tower environment. This enables the company to implement additional account customizations when new accounts are provisioned via the Control Tower Account Factory. The CloudFormation templates and SCPs can be added to a CodeCommit repository and will be automatically deployed to new accounts when they are created. This provides a highly automated solution that does not require manual intervention to deploy resources and SCPs to new accounts.

The recommended architecture to audit, analyze, and visualize application workload metrics at scale involves:

Using Amazon EventBridge to schedule AWS Lambda invocations that call the application API and fetch metrics (Option A). The data is stored in Amazon S3, which is ideal for scalable, cost-effective storage of large datasets.

Cataloging the stored data with AWS Glue crawlers, enabling schema discovery and making data queryable via Amazon Athena (Option C).

Visualizing the data by creating Amazon QuickSight datasets from Athena views and building dashboards for analysis (Option E).Option B and D introduce DynamoDB, which is less suitable for large-scale analytics and Athena querying. Option F suggests querying Athena via Lambda widgets in CloudWatch, which adds complexity without significant benefit over QuickSight.

These are the possible causes for the AccessDenied error because they affect the permissions to access the S3 object from the EC2 instance. An S3 bucket policy is a resource-based policy that defines who can access the bucket and its objects, and what actions they can perform. An IAM role is an identity that can be assumed by an EC2 instance to grant it permissions to access AWS services and resources. If there is an error in the S3 bucket policy or the IAM role configuration, such as a missing or incorrect statement, condition, or principal, then the EC2 instance may not have the necessary permissions to download the object from the S3 bucket .

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

ECR Lifecycle Policies automatically manage image retention based on tag status, age, or count. They execute natively within the ECR service, requiring no external management or scripts — the least overhead and AWS-recommended cleanup method.

Apply SCPs for Region and service restriction. Use CloudFormation StackSets to consistently deploy IAM roles with trust policies for SSO/AD integration. This model enforces governance uniformly across all accounts per AWS multi-account best practices.

Step 1: Reacting to CloudFormation Stack Events with EventBridgeAWS CloudFormation emits events during the lifecycle of a stack, including the UPDATE_COMPLETE event after a successful stack update. You can use Amazon EventBridge to detect this event and trigger a specific action (such as invoking a Lambda function).

Action: Create an EventBridge rule that listens for the UPDATE_COMPLETE event for the CloudFormation stack.

Why: EventBridge allows you to automatically detect CloudFormation stack lifecycle events and take action based on them.

Step 2: Invoking the Lambda FunctionAfter the EventBridge rule detects the UPDATE_COMPLETE event, it can invoke the pre-configured Lambda function to apply or update the tag on the specific CloudFormation stack instance.

Action: Configure the EventBridge rule to invoke the Lambda function when the UPDATE_COMPLETE event occurs.

Why: This automation ensures that the tag is applied immediately after a successful stack update without any manual intervention.

The problem has two distinct requirements: securely managing rotating external API credentials and encrypting CodeBuild artifacts with a specific KMS key.

For credentials that must be reset each month and are sensitive, AWS Secrets Manager is the appropriate service, not Parameter Store. Secrets Manager provides built-in support for secret rotation, versioning, access control, and auditability. The external API credentials can be updated monthly either manually or via an automated rotation Lambda. CodeBuild can read the secret at build time by assuming an IAM role that allows secretsmanager:GetSecretValue.

To encrypt CodeBuild outputs, the correct pattern is to set the CODEBUILD_KMS_KEY_ID environment variable (or CodeBuild project setting) to the desired KMS key. The CodeBuild IAM service role must be granted kms:Encrypt, kms:Decrypt, and related actions on that KMS key via the key policy or IAM policy. This ensures build artifacts and logs are encrypted using the specified customer managed key.

Option C captures both requirements precisely: store credentials in Secrets Manager and update the KMS key policy for the CodeBuild role, not the CodePipeline role. Options A and B misuse Parameter Store and/or the wrong IAM principal. Option D updates the wrong role and does not connect the KMS key to CodeBuild’s artifact encryption.