Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS DevOps Engineer Professional

Amazon AWS DevOps Engineer Professional Exam
AWS DevOps Engineer - Professional (DOP-C01) (Page 6 )

Updated On: 19-Jan-2026
Page 6 of 43
PDF with 208 Questions

A company has an organization in AWS Organizations. The company has con gured AWS Single Sign-On (AWS SSO) to centrally manage access to the AWS accounts in the organization. A DevOps engineer needs to ensure that all users sign in by using multi-factor authentication (MFA). Users must be allowed to manage their own MFA devices. Users also must be prompted for MFA every time they sign in.

What should the DevOps engineer do to meet these requirements?

  1. In AWS SSO, con gure always-on MFBlock user sign-in when a user does not yet have a registered MFA device.
  2. In AWS SSO, con gure always-on MFA. Require a user to register an MFA device at sign-in when the user does not yet have a registered MFA device.
  3. In AWS SSO, con gure context-aware MFA. Update the trust policy of all permission sets to include the aws:MultiFactorAuthPresent condition on the sts:AssumeRole action.
  4. In AWS SSO, con gure context-aware MFA. Block user sign-in when a user does not yet have a registered MFA device.

Answer(s): B



A DevOps engineer needs to apply a core set of security controls to an existing set of AWS accounts. The accounts are in an organization in AWS Organizations. Individual teams will administer individual accounts by using the AdministratorAccess AWS managed policy. For all accounts, AWS CloudTrail and AWS Con g must be turned on in all available AWS Regions. Individual account administrators must not be able to edit or delete any of the baseline resources. However, individual account administrators must be able to edit or delete their own CloudTrail trails and AWS Con g rules.

Which solution will meet these requirements in the MOST operationally e cient way?

  1. Create an AWS CloudFormation template that de nes the standard account resources. Deploy the template to all accounts from the organization's management account by using CloudFormation StackSets. Set the stack policy to deny Update Delete actions.
  2. Enable AWS Control Tower. Enroll the existing accounts in AWS Control Tower. Grant the individual account administrators access to CloudTrail and AWS Con g.
  3. Designate an AWS Con g management account. Create AWS Con g recorders in all accounts by using AWS CloudFormation StackSets.
    Deploy AWS Con g rules to the organization by using the AWS Con g management account. Create a CloudTrail organization trail in the organization's management account. Deny modi cation or deletion of the AWS Con g recorders by using an SCP.
  4. Create an AWS CloudFormation template that de nes the standard account resources. Deploy the template to all accounts from the organization's management account by using CloudFormation StackSets. Create an SCP that prevents updates or deletions to CloudTrail resources or AWS Con g resources unless the principal is an administrator of the organization's management account.

Answer(s): D



An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS Single Sign-On (AWS SSO) to external identity provider (IdP) and has con gured SAML 2 0.

The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.

Which combination of steps will meet these requirements? (Choose three.)

  1. Create IAM policies that include the required permissions. Include the aws PrincipalTag condition key.
  2. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
  3. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in AWS SSO.
  4. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
  5. Enable attributes for access control in AWS SSO. Apply tags to users. Map the tags as key-value pairs.
  6. Enable attributes for access control in AWS SSO. Map attributes from the IdP as key-value pairs.

Answer(s): B,C,F



A company has AWS accounts that are members of the same organization in AWS Organizations. According to the company's security policy, IAM customer managed policies must be scoped to speci c actions and must not include wildcard actions on wildcard resources.

If an IAM customer managed policy is created or modi ed in any of the company's AWS accounts to grant wildcard actions on resources that also specify wildcards, the policy must be detached from any IAM user, role, or group that the policy is attached to Individual AWS account administrators must not be able to prevent the removal of the policies.

Which combination of steps will meet these requirements? (Choose two.)

  1. Con gure automatic remediation to run the AWSCon gRemediation-DetachIAMPolicy AWS Systems Manager Automation runbook.
  2. Con gure automatic remediation to invoke a custom AWS Lambda function to detach the IAM policy from the affected resources.
  3. Con gure automatic remediation to use AWS Systems Manager Run Command to detach the IAM policy from the affected resources.
  4. Turn on AWS Con g by using an AWS CloudFormation stack set that is created in a central account. Con gure automatic deployment for the stack set, and specify the organization as the target. Con gure the iam-policy-no-statements-with-full-access AWS Con g managed rule in the central account.
  5. Turn on AWS Con g for the organization. Create a new AWS account. Con gure the account as a delegated administrator account for AWS Con g. Con gure the iam-policy-no-statements-with-full-access AWS Con g managed rule in the delegated administrator account.

Answer(s): A,D



A DevOps engineer is using AWS CodePipeline and AWS CodeBuild to create a CI/CD pipeline for a serverless application that is based on the AWS Serverless Application Model (AWS SAM). The source, build and test steps have been completed. The DevOps engineer has also created two pipeline deployment stages that use AWS CloudFormation as the action provider. One stage uses the "Create or replace a change set" action mode. The other stage uses the "Execute a change set" action mode.

The DevOps engineer needs to pass some parameters to a CloudFormation stack during the deployment without changing the code and pipeline structure.

Which solution will meet these requirements?

  1. Set the ­parameter-overrides option in the sam deploy command when the CodeBuild stage is invoked.
  2. Add all parameters in AWS Systems Manager Parameter Store. Use dynamic references to specify template values in Parameter Store.
  3. In the deployment stage where the "Create or replace a change set" action mode resides, apply the JSON object in the ParameterOverrides property.
  4. In the deployment stage where the "Execute a change set" action mode resides, apply the JSON object in the ParameterOverrides property.

Answer(s): A



Viewing page 6 of 43
Viewing questions 26 - 30 out of 208 questions



Post your Comments and Discuss Amazon AWS DevOps Engineer Professional exam prep with other Community members:

Join the AWS DevOps Engineer Professional Discussion