AWS Certified DevOps Engineer – Professional (DOP-C02) Mock Test

The AWS Certified DevOps Engineer – Professional (DOP-C02) certification is for individuals who excel at implementing and managing CI/CD pipelines, automating infrastructure, and operating highly available systems on AWS. This exam validates your ability to combine DevOps principles with the power of the AWS cloud. To prove your skills, you need to be prepared for complex, real-world scenarios, and our DOP-C02 mock test is the perfect tool for that preparation.

Our practice exam is a full-length simulation of the DOP-C02 test, with questions distributed across all official domains, including SDLC Automation, Configuration Management and IaC, and Incident and Event Response. When you take our AWS DevOps Engineer Professional practice exam, you’ll be challenged on your knowledge of AWS CodePipeline, AWS CloudFormation, Systems Manager, resilient deployment strategies, and observability. The detailed explanations for each question go beyond simple answers, teaching you the best practices for building secure, automated, and resilient solutions on AWS.

Passing the DOP-C02 requires hands-on knowledge and the ability to think critically under pressure. By practicing with our mock test, you can benchmark your readiness, fine-tune your understanding of key services, and develop the confidence needed to succeed. Whether you’re a seasoned DevOps professional or aspiring to be one, our exam simulation provides the realistic practice you need to earn your certification. Start your journey to becoming an AWS Certified DevOps Engineer Professional now.

For detailed information about the certification, you can always refer to the official AWS Certified DevOps Engineer – Professional (DOP-C02) page.

This is a timed quiz. You will be given 10800 seconds to answer all questions. Are you ready?

10800

Table of Contents

[Domain 1] A company wants to implement a secure and automated CI/CD pipeline for its containerized application running on Amazon EKS. The pipeline must enforce that all container images are scanned for vulnerabilities before being deployed to the production EKS cluster. The results of the scan must be available for audit. Which combination of AWS services should be used to meet these requirements?

Use AWS CodePipeline with a build stage using AWS CodeBuild to build and push the container image to Amazon ECR. Configure ECR to automatically scan images on push. Add a manual approval step in the pipeline for a security engineer to check the scan results.

Use Jenkins on an Amazon EC2 instance to build the image and push it to Amazon ECR. Integrate Jenkins with AWS Security Hub to receive findings from ECR image scanning.

Use AWS CodePipeline with a build stage that uses AWS CodeBuild to build and push the image to Docker Hub. Add a subsequent stage to run a custom script on an EC2 instance to pull and scan the image using a third-party tool.

Use AWS CodeDeploy to pull the source code, build the container image, and deploy it to Amazon EKS. Configure Amazon Inspector to scan the running containers in the EKS cluster for vulnerabilities.

Correct! Wrong!

This solution provides a complete and secure CI/CD pipeline for EKS. AWS CodePipeline orchestrates the workflow. AWS CodeBuild builds the container image. Amazon ECR is the container registry, and its native scan-on-push feature automatically scans images for vulnerabilities. The build process can be configured to check the ECR scan results via the API and fail the build if critical vulnerabilities are found, preventing deployment.

[Domain 2] A DevOps team needs to manage application secrets, such as database credentials and API keys, for an application running on Amazon ECS with AWS Fargate. The secrets must be rotated automatically every 30 days. The application code should not be responsible for the rotation logic and should be able to retrieve the latest version of a secret seamlessly. Which solution meets these requirements most securely and efficiently?

Store the secrets in an encrypted file in an Amazon S3 bucket. Use an IAM role for the ECS task to grant read access. Create a separate cron job on an EC2 instance to update the file every 30 days.

Store the secrets in AWS Systems Manager Parameter Store as SecureString parameters. Create a scheduled AWS Lambda function to update the parameter values every 30 days.

Use AWS Secrets Manager to store the secrets. Configure automatic rotation for the secrets using the built-in integration with AWS Lambda. Reference the secrets in the ECS task definition to inject them into the containers.

Hardcode the secrets in the application's environment variables within the ECS task definition and redeploy the service every 30 days with new values.

Correct! Wrong!

AWS Secrets Manager is the purpose-built service for this use case. It can store secrets securely and, for supported services like Amazon RDS, it can be configured to rotate secrets automatically on a schedule using a built-in Lambda function. The ECS task definition can then reference the secret from Secrets Manager, and the secret will be securely injected into the container as an environment variable. The application always retrieves the current version of the secret without needing to know the rotation details.

[Domain 1] A development team is adopting a blue/green deployment strategy for their web application running on Amazon EC2 instances behind an Application Load Balancer (ALB). They are using AWS CodeDeploy. The goal is to shift traffic to the new 'green' environment only after a series of integration tests have passed successfully. The entire process should be automated. How should this be configured?

Configure the CodeDeploy agent to run the integration tests as part of the `ApplicationStart` hook. If the tests fail, the agent will report a failed deployment.

Configure CodeDeploy for a blue/green deployment. In the `appspec.yml` file, add an `AfterAllowTraffic` hook to trigger an AWS Lambda function that runs the integration tests. The Lambda function's success or failure will determine if the deployment proceeds or rolls back.

Use AWS CloudFormation to create a new green stack. After the stack is created, use Amazon CloudWatch alarms to monitor the health of the new environment. If the alarms are stable, manually update the Route 53 record to point to the green environment.

Use two separate CodeDeploy applications, one for blue and one for green. Manually run the integration tests against the green environment. If they pass, update the ALB listener rules to point to the green target group.

Correct! Wrong!

AWS CodeDeploy natively supports blue/green deployments. By using a lifecycle event hook like `AfterAllowTraffic`, you can trigger an AWS Lambda function. This Lambda function can execute the required integration tests against the new 'green' environment. If the tests pass, the Lambda function exits successfully, and CodeDeploy completes the traffic shift. If they fail, the Lambda function returns an error, and CodeDeploy automatically rolls back the deployment.

[Domain 3] An application hosted on AWS uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The application frequently experiences '503 Service Unavailable' errors during deployments and scaling events. A root cause analysis reveals that the ALB is sending traffic to instances that have not yet completed their startup and initialization process. How can this issue be resolved?

Implement connection draining on the target groups to ensure existing requests are completed before an instance is deregistered.

Configure detailed health checks for the ALB's target group. The health check should target a specific application endpoint (e.g., `/health`) that only returns a 200 OK status when the application is fully ready to serve traffic.

Increase the idle timeout value on the Application Load Balancer.

Switch the Auto Scaling group's health check type from EC2 to ELB.

Correct! Wrong!

ALB health checks are crucial for ensuring traffic is only sent to healthy, fully-initialized instances. By configuring a health check that targets a specific file or API endpoint (e.g., `/health`), the application can signal its readiness. The ALB will wait for a successful response from this endpoint before marking the instance as 'InService' and sending it traffic. Increasing the 'healthy threshold' and 'interval' can also make the health checks more robust against slow startups.

[Domain 3] A critical application runs on an Amazon Aurora PostgreSQL database. The company needs a disaster recovery (DR) plan with a Recovery Time Objective (RTO) of less than 1 minute and a Recovery Point Objective (RPO) of less than 1 second. The primary region is `us-east-1` and the DR region is `us-west-2`. The solution must support a fast, automated failover. What is the most suitable solution?

Deploy an Amazon Aurora Global Database with the primary cluster in `us-east-1` and a secondary cluster in `us-west-2`. Use the global database failover feature for disaster recovery.

Use AWS Database Migration Service (DMS) with ongoing replication to keep a standby database in the DR region synchronized with the primary.

Create a read replica of the Aurora cluster in the DR region. In case of a disaster, manually promote the read replica to a standalone cluster.

Configure the Aurora database as a Multi-AZ deployment. In case of a regional failure, restore the database from a snapshot in the DR region.

Correct! Wrong!

Amazon Aurora Global Database is designed for exactly this scenario. It consists of a primary cluster in one region and one or more secondary clusters in different regions. It uses dedicated infrastructure for storage-based replication with typical latencies under one second, meeting the RPO requirement. In a disaster, a secondary cluster can be promoted to a full read/write primary cluster in under a minute, meeting the RTO requirement. This process can be automated.

[Domain 4] A DevOps team needs to centrally collect, analyze, and visualize logs from hundreds of EC2 instances running in multiple AWS accounts. The logs include application logs, system logs, and security logs. The solution must support near-real-time search and analysis, and the data should be retained for one year for compliance. What is the most effective and scalable solution?

Install the Amazon CloudWatch agent on all EC2 instances to send logs to CloudWatch Logs. Use CloudWatch Logs Insights for analysis and create dashboards in CloudWatch.

Deploy a fleet of EC2 instances running a third-party logging stack like ELK (Elasticsearch, Logstash, Kibana). Configure log shippers on all application instances to send logs to this central stack.

Configure the Amazon CloudWatch agent on EC2 instances to send logs to CloudWatch Logs. Create a CloudWatch Logs subscription filter to stream logs to an Amazon Kinesis Data Firehose delivery stream that writes to Amazon S3. Use Amazon Athena to query the logs.

Use AWS Systems Manager to run a script on all instances that periodically archives log files to an Amazon S3 bucket. Set up AWS Glue crawlers to catalog the data for querying.

Correct! Wrong!

This is a classic centralized logging architecture. The Amazon CloudWatch agent can be configured to collect various log types from EC2 instances and send them to CloudWatch Logs. CloudWatch Logs Subscriptions can then be used to stream these logs in near-real-time to Amazon OpenSearch Service (formerly Elasticsearch Service) for powerful indexing, search, and visualization (using OpenSearch Dashboards). For long-term retention, OpenSearch can be configured with lifecycle policies (ILM) to move older data to cheaper storage tiers or S3.

[Domain 5] An application running on AWS has been experiencing intermittent performance issues. A CloudWatch alarm detects high CPU utilization on an EC2 instance and triggers an Amazon SNS notification. The on-call engineer needs to quickly gather diagnostic data from the instance, including a memory dump and a list of running processes, for later analysis. The process must be automated and secure. Which solution is most appropriate?

Configure the CloudWatch alarm to trigger an AWS Lambda function. The Lambda function uses AWS Systems Manager Run Command to execute a script on the instance that collects diagnostics and uploads them to an Amazon S3 bucket.

The on-call engineer should use SSH to connect to the instance, manually run diagnostic commands, and copy the output to their local machine.

Configure the CloudWatch alarm to trigger an EC2 Auto Scaling action to terminate the unhealthy instance and launch a new one.

Use AWS Step Functions to define a workflow that first takes a snapshot of the instance's EBS volume and then terminates the instance.

Correct! Wrong!

This is a perfect use case for automating incident response. The CloudWatch alarm can trigger a Lambda function directly or via an SNS topic. The Lambda function can then use AWS Systems Manager Run Command to execute a predefined command document (e.g., `AWS-RunShellScript`) on the target EC2 instance. This script can gather the necessary diagnostics (memory dump, process list, logs) and upload them to a secure S3 bucket for analysis, all without requiring the engineer to manually SSH into the instance.

[Domain 2] A company manages its infrastructure using AWS CloudFormation. To improve security and governance, they want to ensure that all S3 buckets created via CloudFormation are encrypted by default and do not have public access enabled. The solution must prevent the deployment of non-compliant CloudFormation stacks. Which approach is most effective?

Use AWS CloudFormation Hooks. Develop a hook that targets the `AWS::S3::Bucket` resource type and contains logic to check for encryption and public access settings. If non-compliant, the hook fails the provisioning step.

Implement a Service Control Policy (SCP) that denies the `s3:CreateBucket` action unless specific encryption and public access parameters are included in the request.

Write a custom Lambda function and invoke it via a CloudFormation custom resource in every stack. The Lambda function will validate the S3 bucket properties.

Create an AWS Config rule to detect non-compliant S3 buckets and use a remediation action to fix them after they are created.

Correct! Wrong!

AWS CloudFormation Hooks (or resource type hooks) allow you to run validation logic against resources before they are provisioned by CloudFormation. You can create a hook that checks the properties of any `AWS::S3::Bucket` resource in a stack. The hook's logic can verify that encryption is enabled and that public access is blocked. If the resource is non-compliant, the hook can fail the operation, preventing the stack from being created or updated.

[Domain 6] A company needs to audit all API activity within its AWS accounts to comply with PCI DSS requirements. The audit trail must be secure, immutable, and retained for at least one year. The solution should also be able to detect and alert on specific sensitive actions, such as the deletion of an S3 bucket or changes to an IAM policy. What should be implemented?

Use AWS Config to record configuration changes to AWS resources and review the configuration history for compliance.

Deploy Amazon GuardDuty in all accounts to detect malicious activity and configure its findings to be sent to AWS Security Hub.

Enable VPC Flow Logs for all VPCs and send the logs to Amazon S3 for long-term storage.

Enable AWS CloudTrail across all regions in all accounts, storing logs in a central S3 bucket with log file validation enabled. Create CloudWatch Events rules that trigger on specific CloudTrail events to send notifications via Amazon SNS.

Correct! Wrong!

AWS CloudTrail is the foundational service for API activity logging and auditing. By creating an organization-wide trail and enabling log file validation, you ensure that all API calls are logged and the log files are immutable. Storing logs in a central, access-restricted S3 bucket meets retention and security requirements. Integrating CloudTrail with Amazon CloudWatch Events (or EventBridge) allows for the creation of rules that match specific sensitive API calls (like `DeleteBucket`) and trigger automated alerts via Amazon SNS.

AWS Certified DevOps Engineer – Professional (DOP-C02) Practice Exam

DevOps Professional!

Fantastic work! You have a strong grasp of DevOps principles and AWS services. You are well-prepared for the exam.

DevOps Engineer in Training

Solid performance! You have a good foundation. Focus on the explanations for the questions you missed to sharpen your skills.

Keep Deploying Knowledge

The DevOps Pro exam is challenging. Use this mock test as a tool to identify your weak areas and guide your study plan.