Amazon Web Services DOP-C02 Study & Exam Dumps 2025

AWS Certified DevOps Engineer - Professional Questions and Answers

Question 1

A company is refactoring applications to use AWS. The company identifies an internal web application that needs to make Amazon S3 API calls in a specific AWS account.

The company wants to use its existing identity provider (IdP) auth.company.com for authentication. The IdP supports only OpenID Connect (OIDC). A DevOps engineer needs to secure the web application ' s access to the AWS account.

Which combination of steps will meet these requirements? (Select THREE.)

Options:

Configure AWS 1AM Identity Center. Configure an IdP. Upload the IdP metadata from the existing IdP.

Create an 1AM IdP by using the provider URL, audience, and signature from the existing IdP.

Create an 1AM role that has a policy that allows the necessary S3 actions. Configure the role ' s trust policy to allow the OIDC IdP to assume the role if the sts.amazon.conraud context key is appid from idp.

Create an 1AM role that has a policy that allows the necessary S3 actions. Configure the role ' s trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp.

Configure the web application lo use the AssumeRoleWith Web Identity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.

Configure the web application to use the GetFederationToken API operation to retrieve temporary credentials Use the temporary credentials to make the S3 API calls.

Buy Now

Answer:

B, D, E

Explanation:

Step 1: Creating an Identity Provider in IAMYou first need to configure AWS to trust the external identity provider (IdP), which in this case supports OpenID Connect (OIDC). The IdP will handle the authentication, and AWS will handle the authorization based on the IdP ' s token.

Action: Create an IAM Identity Provider (IdP) in AWS using the existing provider ' s URL, audience, and signature. This step is essential for establishing trust between AWS and the external IdP.

Why: This allows AWS to accept tokens from your external IdP (auth.company.com) for authentication.

[Reference: AWS documentation on IAM Identity Providers., So, this corresponds to Option B: Create an IAM IdP by using the provider URL, audience, and signature from the existing IdP., Step 2: Creating an IAM Role with Specific PermissionsNext, you need to create an IAM role with a trust policy that allows the external IdP to assume it when certain conditions are met. Specifically, the trust policy needs to allow the role to be assumed based on the context key auth.company.com:aud (audience claim in the token)., Action: Create an IAM role that has the necessary permissions (e.g., Amazon S3 access). The role's trust policy should specify the OIDC IdP as the trusted entity and validate the audience claim (auth.company.com:aud), which comes from the token provided by the IdP., Why: This step ensures that only the specified web application authenticated via OIDC can assume the IAM role to make API calls., Reference: AWS documentation on OIDC and Role Assumption., This corresponds to Option D: Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role's trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp., Step 3: Using Temporary Credentials via AssumeRoleWithWebIdentity APITo securely make Amazon S3 API calls, the web application will need temporary credentials. The web application can use the AssumeRoleWithWebIdentity API call to assume the IAM role configured in the previous step and obtain temporary AWS credentials. These credentials can then be used to interact with Amazon S3., Action: The web application must be configured to call the AssumeRoleWithWebIdentity API operation, passing the OIDC token from the IdP to obtain temporary credentials., Why: This allows the web application to authenticate via the external IdP and then authorize access to AWS resources securely using short-lived credentials., Reference: AWS documentation on AssumeRoleWithWebIdentity., This corresponds to Option E: Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls., Summary of Selected Answers:, B: Create an IAM IdP by using the provider URL, audience, and signature from the existing IdP., D: Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role’s trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp., E: Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls., This setup enables the web application to use OpenID Connect (OIDC) for authentication and securely interact with Amazon S3 in a specific AWS account using short-lived credentials obtained through AWS Security Token Service (STS)., , ]

Question 2

A DevOps engineer is building an application that uses an AWS Lambda function to query an Amazon Aurora MySQL DB cluster. The Lambda function performs only read queries. Amazon EventBridge events invoke the Lambda function.

As more events invoke the Lambda function each second, the database ' s latency increases and the database ' s throughput decreases. The DevOps engineer needs to improve the performance of the application.

Which combination of steps will meet these requirements? (Select THREE.)

Options:

Use Amazon RDS Proxy to create a proxy. Connect the proxy to the Aurora cluster reader endpoint. Set a maximum connections percentage on the proxy.

Implement database connection pooling inside the Lambda code. Set a maximum number of connections on the database connection pool.

Implement the database connection opening outside the Lambda event handler code.

Implement the database connection opening and closing inside the Lambda event handler code.

Connect to the proxy endpoint from the Lambda function.

Connect to the Aurora cluster endpoint from the Lambda function.

Answer:

A, C, E

Explanation:

Verified Answer: A, C, and E.

Short Explanation: To improve the performance of the application, the DevOps engineer should use Amazon RDS Proxy, implement the database connection opening outside the Lambda event handler code, and connect to the proxy endpoint from the Lambda function.

Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure1. By using Amazon RDS Proxy, the DevOps engineer can reduce the overhead of opening and closing connections to the database, which can improve latency and throughput2.

The DevOps engineer should connect the proxy to the Aurora cluster reader endpoint, which allows read-only connections to one of the Aurora Replicas in the DB cluster3. This can help balance the load across multiple read replicas and improve performance for read-intensive workloads4.

The DevOps engineer should implement the database connection opening outside the Lambda event handler code, which means using a global variable to store the database connection object5. This can enable connection reuse across multiple invocations of the Lambda function, which can reduce latency and improve performance.

The DevOps engineer should connect to the proxy endpoint from the Lambda function, which is a unique URL that represents the proxy. This can allow the Lambda function to access the database through the proxy, which can provide benefits such as connection pooling, load balancing, failover handling, and enhanced security.

The other options are incorrect because:

Implementing database connection pooling inside the Lambda code is unnecessary and redundant when using Amazon RDS Proxy, which already provides connection pooling as a service.

Implementing the database connection opening and closing inside the Lambda event handler code is inefficient and costly, as it can increase latency and consume more resources for each invocation of the Lambda function.

Connecting to the Aurora cluster endpoint from the Lambda function is not optimal for read-only queries, as it can direct traffic to either the primary instance or one of the Aurora Replicas in the DB cluster. This can result in inconsistent performance and potential conflicts with write operations on the primary instance.

Question 3

A company has implemented a new microservices-based application on an Amazon Elastic Container Service (Amazon ECS) cluster. After each deployment, the company wants to validate the critical user journeys and API endpoints before routing traffic to the new application version.

The company must implement an automated solution to detect issues in the new deployment and to initiate a rollback if necessary.

Which solution will meet these requirements with the LEAST operational overhead ?

Options:

Set up Amazon CloudWatch Application Insights for the ECS cluster. Create an Amazon EventBridge rule to invoke an AWS Lambda function to analyze the task states. Program the Lambda function to use the ECS UpdateService API call to initiate a rollback if a specific percentage of tasks fail.

Set up Amazon CloudWatch Application Insights for the ECS cluster. Configure Application Insights to monitor key performance indicators of the microservices in the critical user journeys and API calls. Create CloudWatch alarms based on the insights. Use EventBridge to invoke an AWS Step Functions workflow to evaluate the alarms. Configure the workflow to initiate a rollback if necessary by using the alarms ' built-in integration w

Create CloudWatch Synthetics canaries that simulate critical user journeys and API calls. Implement AWS X-Ray tracing for all the microservices. Configure X-Ray to send traces to CloudWatch. Create CloudWatch alarms based on error rates and latency metrics. Create a Lambda function to analyze the traces and to initiate a rollback if necessary by using the alarms ' built-in integration with Amazon ECS.

Create CloudWatch Synthetics canaries that simulate critical user journeys and API calls. Configure the canaries to run against the new deployment. Create CloudWatch alarms that are invoked when canaries fail. Use the alarms ' built-in integration with Amazon ECS to initiate a rollback if the alarms are invoked before traffic is routed to the new deployment.

Get Free DOP-C02 Questions and Answers

Spring Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services DOP-C02 Exam With Confidence Using Practice Dumps

DOP-C02: AWS Certified Professional Exam 2025 Study Guide Pdf and Test Engine

Related Amazon Web Services Exams

AWS Certified DevOps Engineer - Professional Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce