AWS Certified DevOps Engineer - Professional · Domain 5 · 14% of exam

Incident and Event Response

Drill 20 practice questions focused entirely on Incident and Event Response for the AWS DOP-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A company must ensure that no S3 bucket in its production account ever allows public read access. The security team wants an automated, event-driven mechanism that detects when a bucket becomes publicly readable and immediately reverts it to a private (blocked) state without any human intervention. The solution should also produce an audit trail of both the violation and the remediation action. Which approach best meets these requirements with the least custom code?

Reviewed for accuracy · Report an issue
Question 2 of 20

A DevOps team runs an automated incident-response workflow: an EventBridge rule matches CloudTrail management events for security-group ingress changes and invokes a Lambda function that reverts non-compliant rules. During a recent audit, the team found that some non-compliant rule additions were reverted several minutes late, and a few were never reverted at all. CloudWatch Logs show the Lambda function was invoked far fewer times than the number of AuthorizeSecurityGroupIngress API calls recorded in CloudTrail. The EventBridge rule pattern and Lambda IAM permissions are confirmed correct. What is the MOST likely root cause of the missed and delayed remediations?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services company must detect and respond to any AWS Management Console sign-in using the root user account within their production account. When a root login occurs, the security team requires immediate paging notification AND an automatic audit record captured for compliance. The team wants a fully event-driven solution with no polling and the least operational overhead. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 20

A DevOps team runs a customer-facing checkout API behind an ALB. They want an automated incident triage workflow: when the API's p99 latency alarm enters ALARM state, the system should automatically capture diagnostics (recent application logs, target group health, and a thread dump from the affected EC2 instances) and post the collected artifacts to a Slack channel used by the on-call engineer. The team wants the diagnostics gathering to run across all impacted instances in the Auto Scaling group without writing custom fleet-iteration code, and to only be triggered by the specific latency alarm. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

A company runs a critical order-processing service on Amazon ECS with Fargate. During a recent deployment, tasks began stopping repeatedly with the stopped reason 'Essential container in task exited' and exit code 1, creating a crash loop that generated hundreds of task state change events. The operations team wants an automated response that captures diagnostic details (task ARN, stopped reason, and the failing container's exit code) and posts them to an incident channel, but only when a task stops for a NON-deployment reason — routine scale-in and successful deployment stops should be ignored. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 20

A financial services company runs nightly batch reconciliation using AWS Batch. When a Batch job fails, the operations team learns about it only the next morning from downstream reports, causing missed SLAs. The team wants an automated response that (1) captures every job that reaches the FAILED state, (2) automatically resubmits the job once if the failure reason indicates a transient host error, and (3) if the retry also fails or the failure is non-transient, opens an incident by publishing to an SNS topic that pages on-call. The solution must require no polling and add minimal custom infrastructure. What is the MOST appropriate design?

Reviewed for accuracy · Report an issue
Question 7 of 20

A company runs a critical VPC that hosts a public-facing application. Recently, an operator accidentally detached the Internet Gateway (IGW) during a maintenance window, causing a 20-minute outage. The DevOps team wants an automated response that immediately re-attaches the IGW to the VPC whenever it is detached, and notifies the on-call engineer. All API activity is already captured in a multi-region CloudTrail trail. Which approach meets these requirements with the LEAST operational overhead?

Reviewed for accuracy · Report an issue
Question 8 of 20

A company runs a fleet of EC2-based web servers behind an Application Load Balancer. Operations wants automated remediation: whenever a specific CloudWatch alarm named 'HighUnhealthyHostCount' transitions to ALARM state, a Lambda function should immediately gather diagnostics (recent target group health, application logs) and post a summary to a Slack channel. The team wants the reaction to occur as soon as the alarm changes state, without polling, and they must be able to filter so that only transitions to the ALARM state (not OK or INSUFFICIENT_DATA) trigger the workflow. Which approach meets these requirements with the least custom code?

Reviewed for accuracy · Report an issue
Question 9 of 20

A DevOps team runs 40 CodePipeline pipelines across multiple applications. When a pipeline stage fails, engineers currently discover it hours later. Leadership wants an automated system that, within seconds of any pipeline stage entering a FAILED state, posts a message to a Slack channel that includes the pipeline name, the failed stage, and the failed action's execution ID so the on-call engineer can jump straight to troubleshooting. The solution must require no code changes to individual pipelines and must scale as new pipelines are added. What is the MOST operationally efficient approach?

Reviewed for accuracy · Report an issue
Question 10 of 20

A company runs a serverless order-processing system where an EventBridge custom event bus routes 'OrderPlaced' events to a Lambda function that writes to DynamoDB. During a recent 30-minute regional degradation, the Lambda target repeatedly failed and the DLQ was not configured, so an unknown number of order events were lost. Leadership now requires that the team be able to recover and reprocess any events that fail to reach or be successfully processed by targets during future incidents, with no code changes to producers. Which combination of EventBridge features BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 11 of 20

A company uses an EventBridge rule that targets a Lambda function to auto-remediate non-compliant S3 buckets detected by AWS Config. During an incident review, the team discovers that several remediation events silently failed and were never retried, leaving buckets publicly accessible for hours. Investigation shows the Lambda function was throttled due to a spike in events, and EventBridge exhausted its retries. The team needs to ensure that no remediation event is ever lost and that failed events can be reprocessed after the throttling condition clears. What should the DevOps engineer implement?

Reviewed for accuracy · Report an issue
Question 12 of 20

A company runs a mission-critical DynamoDB table with provisioned capacity. During unpredictable traffic spikes, the application experiences ReadThrottleEvents that cause API timeouts. The DevOps team wants an automated response that increases the table's provisioned read capacity when sustained throttling occurs, but only after confirming the condition persists for several minutes to avoid reacting to brief bursts. The solution must require no standing infrastructure and must log every remediation action for auditing. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

A company runs a stateful order-processing service on EC2 instances behind an Application Load Balancer. AWS sometimes issues scheduled maintenance events (planned retirement or reboot) for these instances. Operations wants an automated response that, upon receiving an AWS Health scheduled-change notification for a specific instance, gracefully deregisters that instance from the target group, waits for in-flight orders to complete, and then triggers a replacement before the maintenance window begins. Which approach BEST meets these requirements with the least custom infrastructure?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security team discovers that a developer accidentally scheduled deletion of a customer-managed KMS key that encrypts several production RDS databases and S3 buckets. The organization wants an automated safeguard so that any future ScheduleKeyDeletion API call for keys tagged 'Protected=true' is immediately reversed and the on-call team is alerted, without manual intervention. Which solution meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 15 of 20

A financial services company uses Amazon Macie to scan S3 buckets for sensitive data. When Macie discovers objects containing personally identifiable information (PII) in buckets that are not approved for PII storage, the security team wants an automated response that blocks further access to the specific offending objects within minutes, records the action for audit, and notifies the security channel — all without disabling access to the entire bucket or blocking legitimate objects. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 16 of 20

A financial services company runs a critical order-processing Lambda function that is invoked asynchronously from an EventBridge rule. During a marketing spike, the DevOps team notices that many events are being lost and the function's Throttles metric is spiking. Investigation shows the account's unreserved concurrency pool was exhausted by an unrelated batch-processing Lambda function that scaled up aggressively. The team must ensure the order-processing function always has capacity available AND that any events it cannot process immediately are retained for later reprocessing, without losing data. Which combination of actions BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 20

A DevOps team runs an automated compliance workflow. Every night at 02:00 UTC, an EventBridge scheduled rule (cron expression) triggers a Lambda function that scans EC2 instances for missing patches and starts an SSM Automation runbook to remediate. The team notices that during nights when the AWS account experiences a large burst of unrelated events, the nightly patch scan sometimes fires several minutes late or, on rare occasions, is skipped entirely. They need the patch scan to fire reliably at a precise time, support a configurable time zone for regional maintenance windows, and avoid running when a maintenance flag is disabled — without maintaining the scheduling logic inside Lambda. Which change best meets these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 20

A company runs a fleet of 200 EC2 instances behind an Application Load Balancer. When a shared backend dependency degrades, dozens of instances simultaneously breach a CloudWatch alarm for high 5xx rates. Each alarm state change triggers an EventBridge rule that invokes a Lambda function, which in turn starts a Systems Manager Automation runbook to collect diagnostics and restart the affected service. During the last incident, the flood of concurrent Automation executions exhausted the account's SSM Automation concurrency, and the diagnostics runbook itself failed to complete on many instances. The DevOps team wants the automated response to still gather diagnostics and remediate, but without launching a redundant execution per instance for what is fundamentally a single upstream incident. Which approach BEST addresses this?

Reviewed for accuracy · Report an issue
Question 19 of 20

A DevOps team runs an auto-remediation workflow: a CloudWatch alarm on excessive disk usage triggers an EventBridge rule that invokes a Systems Manager Automation runbook to expand the EBS volume and extend the filesystem. Security requires that any remediation touching production instances (tagged Environment=prod) receive human approval before execution, while non-production remediation must remain fully automatic. The team wants to keep a single runbook and avoid maintaining separate Lambda approval logic. What is the MOST appropriate way to implement this?

Reviewed for accuracy · Report an issue
Question 20 of 20

A company must ensure that no S3 bucket in any account ever has its account-level Block Public Access setting disabled without immediate reversal. When an engineer runs PutPublicAccessBlock to weaken the setting, a security team wants automated remediation within seconds and a durable record of who triggered the change. CloudTrail is enabled in all accounts and management events flow to a central account. Which approach BEST meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue

More DOP-C02 practice

Keep going with the other AWS Certified DevOps Engineer - Professional domains, or take a full timed mock exam.

← Back to DOP-C02 overview