Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS DevOps Engineer Professional

Amazon AWS DevOps Engineer Professional Exam
AWS DevOps Engineer - Professional (DOP-C01) (Page 5 )

Updated On: 19-Jan-2026
Page 5 of 43
PDF with 208 Questions

The security team depends on AWS CloudTrail to detect sensitive security issues in the company's AWS account The DevOps engineer needs a solution to auto-remediate CloudTrail being turned off in an AWS account.

What solution ensures the LEAST amount of downtime for the CloudTrail log deliveries?

  1. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for the CloudTrail StopLogging event. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.
  2. Deploy the AWS-managed CloudTrail-enabled AWS Con g rule, set with a periodic interval of 1 hour. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for AWS Con g rules compliance change. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.
  3. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for a scheduled event every 5 minutes. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on a CloudTrail trail in the AWS account. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.
  4. Launch a t2.nano instance with a script running every 5 minutes that uses the AWS SDK to query CloudTrail in the current account. If the CloudTrail trail is disabled, have the script re-enable the trail.

Answer(s): A



A DevOps team supports many accounts across an organization in AWS Organizations. The DevOps team has decided to use AWS Coring across the organization to implement centralized automatic remediation of Amazon S3 buckets that have public ACLs. Individual accounts must not be able to modify the remediation strategy.

Which solution will meet these requirements?

  1. Create an AWS Con g conformance pack that contains a rule that checks for S3 buckets that have public ACLs. Con gure the conformance pack to use an AWS Systems Manager Automation runbook to block public access to the S3 buckets. Deploy the conformance pack across the organization.
  2. Con gure AWS Con g rules that detect S3 buckets that have public ACLs. Con gure a remediation action that uses AWS Lambda to block public access to the S3 buckets. Use AWS CloudFormation StackSets to deploy the rules across the organization.
  3. Con gure AWS Con g rules that detect S3 buckets that have public ACLs. Con gure a remediation action that uses an AWS Systems Manager Automation runbook to block public access to the S3 buckets. Use AWS CloudFormation StackSets to deploy the rules across the organization.
  4. Create an AWS Con g conformance pack that contains a rule that checks for 53 buckets that have public ACLs. Con gure the conformance pack to use an AWS Lambda function to block public access to the S3 buckets. Deploy the conformance pack across the organization.

Answer(s): A



A DevOps engineer is working on a data archival project that requires the migration of on-premises data to an Amazon S3 bucket. The DevOps engineer develops a script that incrementally archives on-premises data that is older than 1 month to Amazon S3. Data that is transferred to Amazon S3 is deleted from the on-premises location. The script uses the S3 PutObject operation.

During a code review, the DevOps engineer notices that the script does not verify whether the data was successfully copied to Amazon S3. The DevOps engineer must update the script to ensure that data is not corrupted during transmission. The script must use MD5 checksums to verify data integrity before the on-premises data is deleted.

Which solutions for the script will meet these requirements? (Choose two.)

  1. Check the returned response for the Versionld. Compare the returned VersionId against the MD5 checksum.
  2. Include the MD5 checksum within the Content-MD5 parameter. Check the operation call's return status to nd out if an error was returned.
  3. Include the checksum digest within the tagging parameter as a URL query parameter.
  4. Check the returned response for the ETag. Compare the returned ETag against the MD5 checksum.
  5. Include the checksum digest within the Metadata parameter as a name-value pair. After upload, use the S3 HeadObject operation to retrieve metadata from the object.

Answer(s): B,D



A company uses AWS CodeCommit for source code control. Developers apply their changes to various feature branches and create pull requests to move those changes to the main branch when the changes are ready for production.

The developers should not be able to push changes directly to the main branch. The company applied the AWSCodeCommitPowerUser managed policy to the developers' IAM role, and now these developers can push changes to the main branch directly on every repository in the AWS account.

What should the company do to restrict the developers' ability to push changes to the main branch directly?

  1. Create an additional policy to include a Deny rule for the GitPush and PutFile actions. Include a restriction for the speci c repositories in the policy statement with a condition that references the main branch.
  2. Remove the IAM policy, and add an AWSCodeCommitReadOnly managed policy. Add an Allow rule for the GitPush and PutFile actions for the speci c repositories in the policy statement with a condition that references the main branch.
  3. Modify the IAM policy. Include a Deny rule for the GitPush and PutFile actions for the speci c repositories in the policy statement with a condition that references the main branch.
  4. Create an additional policy to include an Allow rule for the GitPush and PutFile actions. Include a restriction for the speci c repositories in the policy statement with a condition that references the feature branches.

Answer(s): A



A company uses a single AWS account to test applications on Amazon EC2 instances. The company has turned on AWS Con g in the AWS account and has activated the restricted-ssh AWS Con g managed rule.

The company needs an automated monitoring solution that will provide a customized noti cation in real time if any security group in the account is not compliant with the restricted-ssh rule. The customized noti cation must contain the name and ID of the noncompliant security group.

A DevOps engineer creates an Amazon Simple Noti cation Service (Amazon SNS) topic in the account and subscribes the appropriate personnel to the topic.

What should the DevOps engineer do next to meet these requirements?

  1. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Con g evaluation result of NON_COMPLIANT for the restricted-ssh rule. Con gure an input transformer for the EventBridge (CloudWatch Events) rule. Con gure the EventBridge (CloudWatch Events) rule to publish a noti cation to the SNS topic.
  2. Con gure AWS Con g to send all evaluation results for the restricted-ssh rule to the SNS topic. Con gure a lter policy on the SNS topic to send only noti cations that contain the text of NON_COMPLIANT in the noti cation to subscribers.
  3. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Con g evaluation result of NON_COMPLIANT for the restricted-ssh rule. Con gure the EventBridge (CloudWatch Events) rule to invoke AWS Systems Manager Run Command on the SNS topic to customize a noti cation and to publish the noti cation to the SNS topic.
  4. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches all AWS Con g evaluation results of NON_COMPLIANT.
    Con gure an input transformer for the restricted-ssh rule. Con gure the EventBridge (CloudWatch Events) rule to publish a noti cation to the SNS topic.

Answer(s): A



Viewing page 5 of 43
Viewing questions 21 - 25 out of 208 questions



Post your Comments and Discuss Amazon AWS DevOps Engineer Professional exam prep with other Community members:

Join the AWS DevOps Engineer Professional Discussion