SDLC Automation
Drill 20 practice questions focused entirely on SDLC Automation for the AWS DOP-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A company uses AWS CodeArtifact as its internal package repository for a set of proprietary npm packages (published under the @company scope). The repository has npmjs.org configured as an upstream to fetch public dependencies. During a security review, the team discovers that an attacker could publish a malicious package to the public npm registry using the same name as an internal package that has not yet been published to CodeArtifact, causing builds to pull the attacker's version (a dependency confusion attack). What is the MOST effective way to prevent this while still allowing the repository to fetch legitimate public packages?
A development team uses CodeBuild to build a Node.js application in CodePipeline. Builds frequently fail intermittently because the public npm registry is rate-limiting requests, and the security team has mandated that all third-party packages be scanned and approved before use. The team wants a managed solution that caches public packages, enforces a single source of truth for dependencies, and integrates with the existing CodeBuild jobs with minimal changes. Which approach best meets these requirements?
A team builds a container image that must be published for both linux/amd64 and linux/arm64 architectures. Currently a single CodeBuild project builds each architecture sequentially inside one buildspec, which takes over 25 minutes and frequently causes the CodePipeline build stage to feel slow. The team wants both architectures built in parallel using native runners (not emulation) while keeping everything in a single CodeBuild project invocation, and they want the pipeline to wait for both to finish before proceeding. What should the DevOps engineer implement?
A DevOps team runs integration tests in AWS CodeBuild as part of a CodePipeline. The tests require a database password and a third-party API key. Currently these values are hardcoded as plaintext environment variables in the CodeBuild project configuration, and a security audit has flagged this. The team wants CodeBuild to retrieve the secrets at build time without exposing them in the project definition, build logs, or the buildspec file, while keeping the buildspec portable across accounts. Which approach BEST meets these requirements?
A team uses CodePipeline with a CodeBuild project to build a large Java monolith. The full Maven build takes 22 minutes, most of which is spent downloading dependencies from Maven Central on every run because the build container starts fresh each time. The team wants to reduce build time without changing their source control workflow or introducing a separate artifact repository. What is the MOST effective change to make in the CodeBuild configuration?
A team runs a CodePipeline in a shared tooling account. A CodeBuild project in that account builds a Docker image and must push it to an Amazon ECR repository that lives in a separate production account. The build currently fails with an authorization error when running 'docker push'. The team wants the most secure and maintainable way to grant CodeBuild permission to push images to the production account's ECR repository. What should they configure?
A development team uses a trunk-based workflow in a CodeCommit repository. Their CodePipeline builds a Java application with CodeBuild and publishes the resulting JAR to CodeArtifact. Currently every merge to main publishes a package with version 1.0.0-SNAPSHOT, which overwrites the previous artifact. QA reports that they cannot reliably reproduce a bug because the artifact tested last week no longer exists in the repository. The team wants each build to publish an immutable, uniquely versioned artifact that can be traced back to the exact source commit, without manual version edits. Which approach best meets this requirement?
A team hosts application source in GitHub.com and wants CodeBuild to build automatically on every pull request opened against the main branch. The security team mandates that no long-lived GitHub personal access tokens or passwords be stored anywhere in AWS, and that the CI system authenticate to GitHub using short-lived credentials. Which approach satisfies both the automatic PR-triggered builds and the credential requirement?
A team's CI pipeline uses CodeBuild to run integration tests that must connect to an Amazon RDS database and an internal Amazon ElastiCache cluster, both located in private subnets with no internet route. The CodeBuild project also needs to pull dependencies from Amazon S3 and push test reports to Amazon CloudWatch Logs. Currently the build fails during the integration test phase because it cannot reach the RDS database, though dependency downloads succeed. What is the MOST appropriate configuration to make the integration tests pass while keeping the build's traffic private?
A team's CodeBuild project builds a Docker image on every commit. Each build takes 12 minutes, most of which is spent re-downloading base image layers and re-installing OS packages that rarely change. The buildspec uses a standard managed image with privileged mode enabled. The team wants to reduce build times without adding external infrastructure or changing the base image, and they accept that the first build after cache invalidation will be slower. Which approach best meets these requirements?
A development team runs unit tests inside a CodeBuild project as part of their CodePipeline. The tests already produce a JUnit XML file in the build environment, but the team wants the pass/fail results and trends to appear natively in the CodeBuild console without building a custom parsing solution. What is the MOST appropriate way to achieve this?
A company deploys a Java application to an in-place EC2 deployment group using AWS CodeDeploy. The team needs to stop the running application before new files are copied, and then run a database schema migration and health check only after the new application files are installed but before traffic is routed back through the load balancer. Where in the appspec.yml lifecycle should the schema migration and health-check scripts be defined to run reliably in this order?
A company deploys a monolithic Java application to an EC2 Auto Scaling group behind an Application Load Balancer using AWS CodeDeploy with a blue/green deployment. After each successful deployment, the operations team notices that the original (blue) instances remain running for hours, increasing costs. They want the original instances to be terminated automatically 15 minutes after traffic is successfully rerouted to the replacement environment, giving them a short window to validate before rollback becomes impossible. Which CodeDeploy configuration change achieves this?
A company deploys a Java application to a fleet of 20 EC2 instances behind an Application Load Balancer using AWS CodeDeploy with an in-place deployment and a CodeDeployDefault.OneAtATime configuration. The team wants to ensure that if a newly deployed instance fails its application-level health validation, the deployment stops immediately and the already-deployed instances are automatically reverted to the last known good revision without manual intervention. Which combination of configuration changes best achieves this requirement?
A team runs a containerized order-processing service on Amazon ECS (Fargate) behind an Application Load Balancer. They use AWS CodeDeploy with a blue/green deployment configuration triggered from CodePipeline. During a recent release, the pipeline's Deploy stage failed immediately with an error indicating the deployment could not be created because the required specification was invalid. The team confirms the new container image was pushed to ECR and the ECS service is healthy. Which action correctly resolves the failure so CodeDeploy can perform the blue/green ECS deployment?
A team deploys a containerized payment service to Amazon ECS on Fargate behind an Application Load Balancer. They use AWS CodeDeploy with a blue/green deployment. Business requirements state that after the new task set is healthy, exactly 10% of production traffic must be routed to it for 15 minutes so a canary group can be observed, and only then should the remaining 90% be shifted all at once. Which CodeDeploy deployment configuration meets this requirement?
A team deploys a serverless payment API using AWS Lambda with an alias behind API Gateway. They use CodeDeploy for deployments and want the following behavior: after deploying a new version, 10% of traffic should shift to it immediately, then the remaining 90% should shift after 10 minutes. If a CloudWatch alarm monitoring the function's error rate breaches during the deployment, CodeDeploy must automatically revert all traffic to the previous version. Which combination of CodeDeploy configuration correctly implements these requirements?
A team deploys a serverless payment-processing function using AWS CodeDeploy with a Lambda compute platform. They want each new version to receive 10% of traffic every 2 minutes until fully shifted, and they require an automated validation that runs BEFORE any production traffic reaches the new version. If the validation fails, the deployment must stop and no traffic should be shifted. Which configuration meets these requirements?
A team runs a CodePipeline with Source (CodeCommit), Build (CodeBuild), and Deploy (CodeDeploy to an EC2 staging fleet) stages. They want integration tests to run against the deployed staging environment, and the pipeline must automatically stop and NOT promote to the production deployment stage if any integration test fails. The tests are executed by a separate CodeBuild project that returns a non-zero exit code on failure. Which approach best implements this requirement with the least custom code?
A team uses AWS CodePipeline with a Source stage (CodeCommit), a Build stage (CodeBuild), a manual approval action, and a Deploy stage. Developers frequently push multiple commits in quick succession. They notice that when several executions are queued, an older execution sometimes reaches the manual approval gate and gets approved and deployed AFTER a newer commit has already been deployed, causing an older version of the code to overwrite the newer one in production. The team wants to guarantee that only the most recent change is deployed and that superseded executions are not deployed. What is the MOST appropriate solution?
More DOP-C02 practice
Keep going with the other AWS Certified DevOps Engineer - Professional domains, or take a full timed mock exam.
← Back to DOP-C02 overview