AWS Certified DevOps Engineer - Professional · Difficulty

Hard DOP-C02 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 57 hard questions available — no sign-up, always free.

Question 1 of 25

A financial services company runs a stateless order-matching service on an EC2 Auto Scaling group behind an Application Load Balancer. During market-open bursts, demand spikes within seconds. The application AMI is large and requires roughly 6 minutes to boot, run configuration scripts, and warm its JVM cache before it can pass ALB health checks. Scale-out driven by target-tracking on request count is too slow, causing dropped orders during the first few minutes of each spike. The team wants to reduce scale-out latency without permanently running (and paying for full price on) many idle instances. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 25

A financial services company runs a mission-critical application on an Amazon Aurora MySQL-Compatible cluster. During a faulty deployment, an application bug executed a bad UPDATE statement that silently corrupted several tables. The problem was discovered 45 minutes later. The team needs to recover the database to the exact state moments before the corruption with the least amount of downtime and without provisioning a new cluster endpoint that would require application reconfiguration. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 25

A financial services company runs a critical transaction processing application on an Amazon Aurora PostgreSQL cluster in us-east-1. Compliance requires an RPO of under 1 second and an RTO of under 5 minutes in the event of a full regional outage, and the disaster recovery region (us-west-2) must be able to accept application traffic quickly. The DevOps team must automate failover so that operators are not required to reconfigure the database endpoint manually during a regional event. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 25

A financial services company must implement a centralized, automated disaster recovery strategy for a fleet of EC2 instances, EBS volumes, and DynamoDB tables spread across multiple accounts in an AWS Organization. Compliance requires that all backups be retained for 7 years, be immutable (protected against deletion even by administrators), and be copied to a second AWS Region for DR. The team wants to minimize custom scripting and manage the policy centrally. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 25

A DevOps team uses AWS CDK to define infrastructure for a service deployed through a CDK Pipelines self-mutating pipeline. Several stacks call methods like ec2.Vpc.fromLookup() and ssm.StringParameter.valueFromLookup() to resolve existing VPCs and configuration at synthesis time. The team notices that builds in the pipeline's CodeBuild synth step intermittently fail or produce templates that reference incorrect subnet IDs, and the errors do not reproduce on developers' laptops. What is the MOST likely root cause and the recommended fix?

Reviewed for accuracy · Report an issue
Question 6 of 25

A platform team maintains an AWS CDK (v2, TypeScript) library of reusable constructs that application teams import to provision workloads. One construct needs to place resources into an existing VPC that already lives in each application team's account. The application accounts vary, and the platform team wants the synthesized CloudFormation to reference the correct VPC subnets deterministically at deploy time without hard-coding subnet IDs in the construct. During code review, a developer used ec2.Vpc.fromLookup() and CDK synthesis failed in the CI pipeline with an error about missing environment/account context. What is the MOST appropriate way to make this reusable construct resolve the existing VPC reliably across accounts?

Reviewed for accuracy · Report an issue
Question 7 of 25

A team uses AWS CDK to define two stacks in the same app: a NetworkStack that creates a VPC and exports a shared security group, and an AppStack that references that security group via a CDK cross-stack reference (the security group object is passed directly between stack constructs). During a routine change, a developer removes the security group usage from AppStack and redeploys, intending to later delete the security group entirely from NetworkStack. The AppStack deployment succeeds, but when they subsequently try to delete the security group from NetworkStack, the NetworkStack update fails. What is the MOST likely cause and correct approach?

Reviewed for accuracy · Report an issue
Question 8 of 25

A DevOps team uses AWS CDK to provision infrastructure. One stack must register a third-party SaaS webhook during creation and deregister it during stack deletion, calling an external REST API that CloudFormation cannot natively manage. They implement a Lambda-backed custom resource using the CDK Provider framework. During testing, the stack creates successfully, but when they run 'cdk destroy', the stack becomes stuck in DELETE_IN_PROGRESS for over an hour and eventually rolls into DELETE_FAILED. The Lambda function's own logs show the deregistration call completed in under two seconds. What is the MOST likely cause?

Reviewed for accuracy · Report an issue
Question 9 of 25

A platform engineering team distributes infrastructure changes across 40 AWS accounts using CDK Pipelines that deploy CloudFormation stacks. Security requires that no stack deployment be allowed to create an S3 bucket without a bucket policy denying non-TLS access, and this must be enforced at deploy time BEFORE resources are provisioned — regardless of whether developers use the correct CDK constructs. The team wants a solution that is centrally managed, applies automatically to all stack operations in every account, and blocks the CloudFormation operation itself if the rule is violated. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 25

A DevOps team manages a CDK application that synthesizes a parent CloudFormation stack containing several nested stacks. A shared 'NetworkStack' nested stack exports a VPC ID and subnet IDs that are consumed by an 'AppStack' nested stack via CloudFormation cross-stack references (Fn::ImportValue on exported outputs). During a deployment that both changes the CIDR of a subnet in NetworkStack and updates an EC2 launch template in AppStack, the deployment fails with an error that an export cannot be updated because it is in use by another stack. The team needs a reliable pattern to allow the shared network values to change over time without blocking dependent stack updates. Which approach BEST resolves this?

Reviewed for accuracy · Report an issue
Question 11 of 25

A DevOps team deploys an application using a CloudFormation nested stack architecture. One nested stack provisions an Auto Scaling group of EC2 instances that run a lengthy bootstrap process via cfn-init before the application is ready. During recent stack updates, the parent stack update repeatedly succeeds and reports UPDATE_COMPLETE even though several instances fail to finish their bootstrap and never become healthy, causing the application to serve errors after the deployment. The team wants CloudFormation to treat the update as failed and roll back automatically when instances do not complete initialization. Which change to the EC2 nested stack template will achieve this?

Reviewed for accuracy · Report an issue
Question 12 of 25

A DevOps team maintains a production CDK application that provisions a critical DynamoDB table and an S3 bucket. To improve readability, a developer refactors the code by wrapping several resources inside a new nested Construct and renames the construct scope. During the next pipeline run, `cdk diff` shows the DynamoDB table and S3 bucket will be destroyed and recreated. Both resources contain production data that must not be lost. Which approach allows the refactor to proceed WITHOUT data loss and with minimal manual intervention?

Reviewed for accuracy · Report an issue
Question 13 of 25

A DevOps team manages a large CloudFormation parent stack that references three nested stacks (network, application, and database). During a recent update to modify an Auto Scaling group configuration in the application nested stack, the update failed and the entire deployment rolled back — including unrelated resources in the network nested stack that had already succeeded. The team wants to reduce the blast radius so that a failure in one nested stack's update does not force a rollback of resources in the other nested stacks, while still managing everything as a cohesive infrastructure set. What is the MOST appropriate approach?

Reviewed for accuracy · Report an issue
Question 14 of 25

A DevOps team manages a security baseline (IAM roles and Config rules) across an AWS Organization using a service-managed CloudFormation StackSet deployed to an organizational unit (OU) containing 40 accounts. A regulatory change requires that a new set of resources be rolled out to only 3 specific accounts within that OU first, as a controlled pilot, before a full OU-wide rollout. The team must not deploy to the other 37 accounts yet, and must avoid manually removing accounts from the OU or creating a separate OU. Which approach accomplishes this with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 15 of 25

A DevOps team manages a service-managed CloudFormation StackSet with automatic deployment enabled, targeting an entire Organizational Unit (OU) that contains 40 production accounts. Each stack deploys a baseline security configuration including IAM roles and a CloudTrail trail. The security team needs to move one account out of the target OU into a separate 'quarantine' OU for investigation, but they require that the baseline security stack (including CloudTrail logging) REMAINS active in that account after the move so evidence continues to be collected. What is the correct approach?

Reviewed for accuracy · Report an issue
Question 16 of 25

A company manages baseline networking (VPCs, subnets, VPC endpoints) across 40 accounts in an AWS Organization using a service-managed CloudFormation StackSet. The security team wants to guarantee that any manual change to a deployed stack instance is automatically detected, reported centrally, and then reverted to the template-defined configuration within 24 hours, without requiring an engineer to log into member accounts. Which approach meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 17 of 25

A company uses CloudFormation StackSets with service-managed permissions to deploy a logging configuration stack to all accounts in an AWS Organizations OU. The stack template accepts a parameter, CentralLogBucketArn, that must point to a different destination bucket depending on which region the stack instance is deployed in (each region has its own regional log bucket). The DevOps team currently maintains a single stack set and wants a single deployment operation to populate the correct bucket ARN per region without maintaining separate stack sets. What is the MOST appropriate way to achieve this?

Reviewed for accuracy · Report an issue
Question 18 of 25

A company originally deployed a CloudFormation StackSet using the self-managed permission model across 40 member accounts, manually creating the AWSCloudFormationStackSetExecutionRole in each account. The company has now enabled trusted access between AWS Organizations and CloudFormation and wants to switch the StackSet to the service-managed permission model so that new accounts joining the organization automatically receive the stacks. A DevOps engineer attempts to update the existing StackSet's permission model in place but the operation fails. What is the correct approach to achieve automatic deployment to new accounts?

Reviewed for accuracy · Report an issue
Question 19 of 25

A DevOps engineer manages a CloudFormation StackSet in service-managed permission mode, deployed from the organization's management account to an OU containing 40 member accounts. The StackSet provisions a standardized IAM role and an S3 bucket with a specific KMS-encrypted policy in each account. After a recent security initiative, the security team attached a new Service Control Policy (SCP) to the OU that denies all s3:PutEncryptionConfiguration and kms:CreateGrant actions unless a specific tag condition is met. The next StackSet operation fails in every target account during resource creation. The engineer needs the standardized resources to deploy successfully across all 40 accounts while keeping the SCP guardrail intact. What is the MOST appropriate action?

Reviewed for accuracy · Report an issue
Question 20 of 25

A DevOps team manages a CloudFormation StackSet that deploys a baseline security stack to 120 member accounts across 4 regions. During a recent rollout, a malformed template caused stack operations to fail in dozens of accounts before the team noticed, forcing a lengthy manual cleanup. The team wants future rollouts to halt automatically as soon as failures begin, while still deploying to a few accounts at a time to validate changes before broad propagation. Which combination of StackSet operation preferences achieves this?

Reviewed for accuracy · Report an issue
Question 21 of 25

A DevOps team manages a global application using a single CloudFormation StackSet that deploys to 12 accounts across 4 regions. The template creates a primary DynamoDB global table configuration and Lambda functions that reference it. During deployment, the team requires that the us-east-1 region always deploys and completes successfully FIRST, because it provisions a shared global resource that all other regions depend on. If us-east-1 fails, no other region should be attempted. The team currently deploys to all regions with default concurrency settings and occasionally sees other regions fail because the shared resource is not yet available. Which approach best enforces the required ordering?

Reviewed for accuracy · Report an issue
Question 22 of 25

A company uses a CloudFormation StackSet with the SERVICE_MANAGED permission model to deploy a standardized VPC baseline to all accounts in an Organizational Unit (OU). Application teams have local administrative access in their member accounts and occasionally modify the VPC resources deployed by the StackSet, causing configuration drift. Leadership wants to guarantee that these baseline resources cannot be modified or deleted by application teams in the first place, rather than detecting and remediating drift after it occurs. Which approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 23 of 25

A team runs a high-throughput payment service on AWS Lambda. They need per-customer latency and error metrics for thousands of customers, but calling PutMetricData for each customer on every invocation is causing throttling and increasing invocation duration. They want custom metrics generated asynchronously without adding synchronous API calls in the hot path, while keeping the raw structured log data queryable. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 24 of 25

A DevOps team runs a fleet of application servers that write structured JSON logs to a single CloudWatch Logs log group. Each log event contains fields for 'statusCode', 'service', and 'region'. The team creates a metric filter to count HTTP 5xx errors and wants the resulting CloudWatch metric to be broken down separately by the 'service' and 'region' field values so they can alarm per-service. After deploying the metric filter with dimensions configured for 'service' and 'region', they notice that some emitted metrics are missing dimension values and total counts appear incomplete. What is the MOST likely cause and correct approach?

Reviewed for accuracy · Report an issue
Question 25 of 25

A company uses AWS CodeArtifact as its internal package repository for a set of proprietary npm packages (published under the @company scope). The repository has npmjs.org configured as an upstream to fetch public dependencies. During a security review, the team discovers that an attacker could publish a malicious package to the public npm registry using the same name as an internal package that has not yet been published to CodeArtifact, causing builds to pull the attacker's version (a dependency confusion attack). What is the MOST effective way to prevent this while still allowing the repository to fetch legitimate public packages?

Reviewed for accuracy · Report an issue