AWS Certified DevOps Engineer - Professional · Domain 2 · 17% of exam

Configuration Management and IaC

Drill 20 practice questions focused entirely on Configuration Management and IaC for the AWS DOP-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A platform team maintains a large CDK application (TypeScript) composed of dozens of stacks authored by multiple product teams. Governance requires that every S3 bucket in every stack must have server-side encryption enabled and every resource must carry a 'CostCenter' tag. The team wants to enforce these rules automatically at synthesis time so that non-compliant stacks fail the build, without asking each product team to modify their construct code. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 20

A DevOps team uses AWS CDK to define infrastructure for a service deployed through a CDK Pipelines self-mutating pipeline. Several stacks call methods like ec2.Vpc.fromLookup() and ssm.StringParameter.valueFromLookup() to resolve existing VPCs and configuration at synthesis time. The team notices that builds in the pipeline's CodeBuild synth step intermittently fail or produce templates that reference incorrect subnet IDs, and the errors do not reproduce on developers' laptops. What is the MOST likely root cause and the recommended fix?

Reviewed for accuracy · Report an issue
Question 3 of 20

A DevOps team uses AWS CDK to define a multi-tier web application (VPC, ECS cluster, RDS database, and application services). They need to deploy this identical application to three separate AWS accounts (dev, staging, prod) within their organization. Each account must have its own isolated set of resources, and the team wants a single CDK codebase where the environment-specific account IDs and region are supplied at synth time, producing separate CloudFormation templates per environment. Which CDK approach best satisfies these requirements while keeping the code maintainable?

Reviewed for accuracy · Report an issue
Question 4 of 20

A team uses CDK Pipelines (the CodePipeline construct in the aws-cdk-lib/pipelines module) to deploy a multi-stage application. Developers add a new deployment stage to the pipeline definition in code and merge to the main branch. When the existing pipeline runs, they expect the new stage to appear, but they are concerned about how the pipeline picks up structural changes to its own definition. Which behavior of CDK Pipelines correctly explains how the new stage becomes part of the running pipeline?

Reviewed for accuracy · Report an issue
Question 5 of 20

A platform team maintains an AWS CDK (v2, TypeScript) library of reusable constructs that application teams import to provision workloads. One construct needs to place resources into an existing VPC that already lives in each application team's account. The application accounts vary, and the platform team wants the synthesized CloudFormation to reference the correct VPC subnets deterministically at deploy time without hard-coding subnet IDs in the construct. During code review, a developer used ec2.Vpc.fromLookup() and CDK synthesis failed in the CI pipeline with an error about missing environment/account context. What is the MOST appropriate way to make this reusable construct resolve the existing VPC reliably across accounts?

Reviewed for accuracy · Report an issue
Question 6 of 20

A team uses AWS CDK to define two stacks in the same app: a NetworkStack that creates a VPC and exports a shared security group, and an AppStack that references that security group via a CDK cross-stack reference (the security group object is passed directly between stack constructs). During a routine change, a developer removes the security group usage from AppStack and redeploys, intending to later delete the security group entirely from NetworkStack. The AppStack deployment succeeds, but when they subsequently try to delete the security group from NetworkStack, the NetworkStack update fails. What is the MOST likely cause and correct approach?

Reviewed for accuracy · Report an issue
Question 7 of 20

A DevOps team manages a production CloudFormation stack that deploys an application tier. They need to migrate an existing manually-created DynamoDB table into this stack so it becomes CloudFormation-managed, without any downtime or data loss. The table receives constant read/write traffic. Which approach correctly brings the table under management while minimizing risk?

Reviewed for accuracy · Report an issue
Question 8 of 20

A DevOps team manages a production RDS database and its surrounding networking through a single CloudFormation stack deployed via a CodePipeline. During a routine template update that modifies the DB instance's DBInstanceIdentifier property, the team wants an automated safeguard in the pipeline that halts the deployment BEFORE any resource is replaced, so an engineer can review whether the change would destroy the existing database. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 20

A DevOps team uses AWS CDK to provision infrastructure. One stack must register a third-party SaaS webhook during creation and deregister it during stack deletion, calling an external REST API that CloudFormation cannot natively manage. They implement a Lambda-backed custom resource using the CDK Provider framework. During testing, the stack creates successfully, but when they run 'cdk destroy', the stack becomes stuck in DELETE_IN_PROGRESS for over an hour and eventually rolls into DELETE_FAILED. The Lambda function's own logs show the deregistration call completed in under two seconds. What is the MOST likely cause?

Reviewed for accuracy · Report an issue
Question 10 of 20

A team manages an S3 bucket, an IAM role, and a DynamoDB table through a single CloudFormation stack. An engineer, bypassing the pipeline, manually edited the S3 bucket policy and added a new lifecycle rule directly in the console during an incident. The next scheduled pipeline run deploys an unrelated change (adding a CloudWatch alarm) via a change set. The team wants to ensure the manual changes are reconciled to match the template AND wants ongoing visibility when future out-of-band changes occur, without deleting or recreating any resources. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

A platform engineering team distributes infrastructure changes across 40 AWS accounts using CDK Pipelines that deploy CloudFormation stacks. Security requires that no stack deployment be allowed to create an S3 bucket without a bucket policy denying non-TLS access, and this must be enforced at deploy time BEFORE resources are provisioned — regardless of whether developers use the correct CDK constructs. The team wants a solution that is centrally managed, applies automatically to all stack operations in every account, and blocks the CloudFormation operation itself if the rule is violated. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 12 of 20

A DevOps team deploys a fleet of EC2 instances using a CloudFormation template. They want the instances to install packages, write configuration files, and start services automatically at launch, with the ability to update this configuration by simply updating the CloudFormation stack. They also want a clean signal to CloudFormation indicating whether the bootstrap configuration succeeded, so a failed configuration causes the stack update to roll back. Which approach best meets these requirements using native CloudFormation capabilities?

Reviewed for accuracy · Report an issue
Question 13 of 20

A DevOps team uses AWS CDK (v2) to deploy an application consisting of a parent stack with several nested stacks. Each nested stack references Lambda functions bundled from local source code as assets. The team runs 'cdk deploy' targeting a new region (eu-west-1) for the first time, but the deployment fails immediately with an error stating that the assets cannot be published because the environment is not bootstrapped. The same application deploys successfully in us-east-1. What is the correct way to resolve this while following AWS best practices for multi-region CDK deployments?

Reviewed for accuracy · Report an issue
Question 14 of 20

A DevOps team manages a CDK application that synthesizes a parent CloudFormation stack containing several nested stacks. A shared 'NetworkStack' nested stack exports a VPC ID and subnet IDs that are consumed by an 'AppStack' nested stack via CloudFormation cross-stack references (Fn::ImportValue on exported outputs). During a deployment that both changes the CIDR of a subnet in NetworkStack and updates an EC2 launch template in AppStack, the deployment fails with an error that an export cannot be updated because it is in use by another stack. The team needs a reliable pattern to allow the shared network values to change over time without blocking dependent stack updates. Which approach BEST resolves this?

Reviewed for accuracy · Report an issue
Question 15 of 20

A DevOps team deploys an application using a CloudFormation nested stack architecture. One nested stack provisions an Auto Scaling group of EC2 instances that run a lengthy bootstrap process via cfn-init before the application is ready. During recent stack updates, the parent stack update repeatedly succeeds and reports UPDATE_COMPLETE even though several instances fail to finish their bootstrap and never become healthy, causing the application to serve errors after the deployment. The team wants CloudFormation to treat the update as failed and roll back automatically when instances do not complete initialization. Which change to the EC2 nested stack template will achieve this?

Reviewed for accuracy · Report an issue
Question 16 of 20

A DevOps team maintains a single CloudFormation template used to deploy an application across us-east-1, eu-west-1, and ap-southeast-2. The template launches EC2 instances that must use a region-specific, hardened AMI ID owned by the security team. The AMI IDs are updated roughly once per quarter through a separate golden-AMI pipeline. Deployments are triggered via a CodePipeline that runs the same template in all three regions. The team wants the correct AMI to be selected automatically per region at deploy time, without editing the template body and without manually passing AMI IDs as parameters on each run. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 20

A DevOps team manages a production VPC, subnets, and an RDS instance that were all created manually through the AWS console over two years ago. Management now requires all infrastructure to be managed as code using CloudFormation so that changes go through the change-set review process. The team must bring these existing, live resources under CloudFormation management WITHOUT deleting them or causing any downtime to the running RDS database. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 20

A DevOps team manages a shared networking stack and multiple application stacks in the same account and region using AWS CDK. Application stacks need to reference the VPC ID and subnet IDs produced by the networking stack. Currently they use CloudFormation cross-stack exports (Fn::ImportValue). The team frequently needs to modify the networking stack's subnet configuration, but CloudFormation blocks these updates because the values are exported and consumed by other stacks. They want a decoupling approach that still keeps everything defined as code and allows the networking stack to update independently while application stacks pick up current values. What should they do?

Reviewed for accuracy · Report an issue
Question 19 of 20

A DevOps team maintains a production CDK application that provisions a critical DynamoDB table and an S3 bucket. To improve readability, a developer refactors the code by wrapping several resources inside a new nested Construct and renames the construct scope. During the next pipeline run, `cdk diff` shows the DynamoDB table and S3 bucket will be destroyed and recreated. Both resources contain production data that must not be lost. Which approach allows the refactor to proceed WITHOUT data loss and with minimal manual intervention?

Reviewed for accuracy · Report an issue
Question 20 of 20

A DevOps team manages a production CloudFormation stack containing a shared VPC, transit gateway attachments, and a KMS key used by multiple downstream stacks. During a recent incident, an engineer ran `aws cloudformation delete-stack` against the wrong stack name from a scripting error, and the deletion began before it was cancelled. The team wants to guarantee that no accidental or automated API call can delete this foundational stack, while still allowing normal stack UPDATE operations to proceed through their CI/CD pipeline. What should they implement?

Reviewed for accuracy · Report an issue

More DOP-C02 practice

Keep going with the other AWS Certified DevOps Engineer - Professional domains, or take a full timed mock exam.

← Back to DOP-C02 overview