Amazon Web Services freetechexam full Access Dop-c02 Tutorials by Emil q68 vce pdf

Page: 10 / 32

Exam Name:	AWS Certified DevOps Engineer - Professional
Exam Code:	DOP-C02 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Professional
Questions:	435 Q&A's	Shared By:	emil

Question 40

A company has an AWS Control Tower landing zone. The company ' s DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company ' s AWS accounts to deploy applications.

The DevOps team needs to allow only a specific management 1AM role to manage the 1AM roles and policies of any AWS accounts In only the production OU.

Which combination of steps will meet these requirements? {Select TWO.)

Options:

Create an SCP that denies full access with a condition to exclude the management 1AM role for the organization root.

Ensure that the FullAWSAccess SCP is applied at the organization root

Create an SCP that allows IAM related actions Attach the SCP to the development OU

Create an SCP that denies IAM related actions with a condition to exclude the management I AM role Attach the SCP to the workload OU

Create an SCP that denies IAM related actions with a condition to exclude the management 1AM role Attach the SCP to the production OU

Discussion

Sarah

Yeah, I was so relieved when I saw that the question appeared in the exam were similar to their exam dumps. It made the exam a lot easier and I felt confident going into it.

Aaliyah Apr 18, 2026

Same here. I've heard mixed reviews about using exam dumps, but for us, it definitely paid off.

Faye

Yayyyy. I passed my exam. I think all students give these dumps a try.

Emmeline Apr 19, 2026

Definitely! I have no doubt new students will find them to be just as helpful as I did.

Lois

I passed my exam with wonderful score. Their dumps are 100% valid and I felt confident during the exam.

Ernie Apr 23, 2026

Absolutely. The best part is, the answers in the dumps were correct. So, I felt confident and well-prepared for the exam.

Lennie

I passed my exam and achieved wonderful score, I highly recommend it.

Emelia Apr 23, 2026

I think I'll give Cramkey a try next time I take a certification exam. Thanks for the recommendation!

Question 41

A company uses an organization in AWS Organizations to manage multiple AWS accounts The company needs an automated process across all AWS accounts to isolate any compromised Amazon EC2 instances when the instances receive a specific tag.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

Use AWS Cloud Formation StackSets to deploy the Cloud Formation stacks in all AWS accounts.

Create an SCP that has a Deny statement for the ec2: " action with a condition of " aws:RequestTag/isolation " : false.

Attach the SCP to the root of the organization.

Create an AWS Cloud Formation template that creates an EC2 instance rote that has no 1AM policies attached. Configure the template to have a security group that has an explicit Deny rule on all traffic. Use the Cloud Formation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to add a network ACL. Sot up an Amazon EventBridge rule to invoke the Lambda function when a specific ta

Create an AWS Cloud Formation template that creates an EC2 instance role that has no 1AM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the 1AM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to i

Discussion

Answer:

A, E

Explanation:

 Step 1: Deploy the Automation Solution using CloudFormation StackSets

To automate the process across multiple AWS accounts within an organization, you can use AWS CloudFormation StackSets. StackSets allow you to deploy CloudFormation templates to multiple accounts within an organization, ensuring consistent infrastructure and automation.

Action: Use AWS CloudFormation StackSets to deploy the necessary resources across all AWS accounts. This includes deploying the Lambda function and security groups that will isolate compromised EC2 instances.

Why: StackSets make it easy to deploy and manage resources across multiple AWS accounts, reducing the operational overhead.

[Reference: AWS documentation on CloudFormation StackSets., This corresponds to Option A: Use AWS CloudFormation StackSets to deploy the CloudFormation stacks in all AWS accounts.,  Step 2: Isolate EC2 Instances using Lambda and Security GroupsWhen an EC2 instance is compromised, it needs to be isolated from the network. This can be done by creating a security group with no inbound or outbound rules and attaching it to the instance. A Lambda function can handle this process and can be triggered automatically by an Amazon EventBridge rule when a specific tag (e.g., "isolation") is applied to the compromised instance., Action: Create a Lambda function that attaches an isolated security group (with no inbound or outbound rules) to the compromised EC2 instances. Set up an EventBridge rule to trigger the Lambda function when the "isolation" tag is applied to the instance., Why: This automates the isolation process, ensuring that any compromised instances are immediately cut off from the network, reducing the potential damage from the compromise., Reference: AWS documentation on Tag-based Event Handling., This corresponds to Option E: Create an AWS CloudFormation template that creates an EC2 instance role that has no IAM policies attached. Configure the template to have a security group that has no inbound rules or outbound rules. Use the CloudFormation template to create an AWS Lambda function that attaches the IAM role to instances. Configure the Lambda function to replace any existing security groups with the new security group. Set up an Amazon EventBridge rule to invoke the Lambda function when a specific tag is applied to a compromised EC2 instance., , , ]

Question 42

A company recently created a new AWS Control Tower landing zone in a new organization in AWS Organizations. The landing zone must be able to demonstrate compliance with the Center tor Internet Security (CIS) Benchmarks tor AWS Foundations.

The company ' s security team wants to use AWS Security Hub to view compliance across all accounts Only the security team can be allowed to view aggregated Security Hub Findings. In addition specific users must be able to view findings from their own accounts within the organization All accounts must be enrolled m Security Hub after the accounts are created.

Which combination of steps will meet these requirements in the MOST automated way? (Select THREE.)

Options:

Turn on trusted access for Security Hub in the organization ' s management account. Create a new security account by using AWS Control Tower Configure the new security account as the delegated administrator account for Security Hub. In the new security account provide. Security Hub with the CIS Benchmarks for AWS Foundations standards.

Turn on trusted access for Security Hub in the organ ration ' s management account. From the management account, provide Security Hub with the CIS Benchmarks for AWS Foundations standards.

Create an AWS IAM identity Center (AWS Single Sign-On) permission set that includes the required permissions Use the CreateAccountAssignment API operation to associate the security team users with the permission set and with the delegated security account.

Create an SCP that explicitly denies any user who is not on the security team from accessing Security Hub.

In Security Hub, turn on automatic enablement.

In the organization ' s management account create an Amazon EventBridge rule that reacts to the CreateManagedAccount event Create an AWS Lambda function that uses the Security Hub CreateMembers API operation to add new accounts to Security Hub. Configure the EventBridge rule to invoke the Lambda function.

Discussion

Question 43

A DevOps team deploys an ECS app behind an ALB using CodeDeploy with all-at-once strategy. Recent deployment increased response times, requiring rollback. The team wants a deployment strategy to monitor new versions before full traffic shift and rollback quickly if issues occur.

Which steps meet these requirements? (Select TWO.)

Options:

Use CodeDeployDefault.ECSCanary10Percent5Minutes deployment configuration.

Use CodeDeployDefault.ECSLinear10PercentEvery3Minutes deployment configuration.

Create a CloudWatch alarm on ALB UnHealthyHostCount and associate it with the deployment group for rollback.

Create a CloudWatch alarm on ALB TargetResponseTime and associate it with the deployment group for rollback.

Create a CloudWatch alarm on ALB TargetConnectionErrorCount and associate it with the deployment group for rollback.