AWS Certified DevOps Engineer - Professional · Domain 6 · 17% of exam

Security and Compliance

Drill 20 practice questions focused entirely on Security and Compliance for the AWS DOP-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A company uses AWS Certificate Manager (ACM) to issue public TLS certificates for several externally imported certificates that ACM cannot auto-renew (they were imported from a third-party CA). The security team was recently caught off guard when one imported certificate expired, causing a production outage. They need an automated, low-maintenance solution that proactively alerts the operations team at least 30 days before ANY imported certificate expires, across all accounts in the organization. Which approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 20

A DevOps engineer at a financial services company must produce an on-demand report that lists all EC2 instances across 40 member accounts and 3 regions that do NOT have detailed monitoring enabled. Auditors request this report ad hoc and expect it within minutes, without deploying additional infrastructure. AWS Config is already enabled organization-wide with a delegated administrator account hosting an aggregator. What is the MOST efficient way to generate this cross-account, cross-region inventory report?

Reviewed for accuracy · Report an issue
Question 3 of 20

A DevOps team manages 40 AWS accounts under AWS Organizations. The security team needs a single, read-only view of AWS Config rule compliance status across all member accounts and multiple regions, updated automatically as new accounts join the organization. They want to minimize ongoing operational overhead and avoid deploying custom scripts to fetch data from each account. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 20

A company must demonstrate to auditors that all EC2 instances, EBS volumes, and RDS instances across a 60-account AWS Organization carry mandatory cost-allocation tags (CostCenter, Owner, Environment). The security team needs a single, auditable compliance report that is continuously updated, and they want to minimize the amount of custom code they build and maintain. Resources that lack required tags must be flagged automatically. What is the MOST operationally efficient way to meet these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services company runs 40 accounts under AWS Organizations. The compliance team wants to enforce a standardized set of ~60 Config rules (mapped to PCI DSS controls) across all existing and future member accounts. Requirements: the rules must be deployed centrally from the management/delegated administrator account, versioned as code in a Git repository, and automatically applied to any newly created account without manual per-account setup. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 20

A financial services company must enforce a compliance policy that requires all IAM user access keys to be rotated every 90 days across a single AWS account. The security team wants an automated, auditable mechanism that continuously detects access keys older than 90 days and automatically deactivates them without requiring engineers to write custom polling scripts or maintain long-running compute. Which solution best meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company runs workloads across 40 AWS accounts in an organization. The security team maintains a list of approved (hardened) AMI IDs. They want to continuously detect any EC2 instance launched from a non-approved AMI across all accounts, record the compliance state centrally for audits, AND prevent developers from launching non-approved AMIs in the first place. Which combination of controls best satisfies both the detective and preventive requirements with the least custom code?

Reviewed for accuracy · Report an issue
Question 8 of 20

A DevOps engineer manages compliance for an organization with 60 accounts in AWS Organizations. The security team wants a single AWS Config rule that checks whether all EBS volumes are encrypted, deployed consistently across every existing and future member account, with results visible centrally. They do not want to manually create or maintain the rule in each account, and they want the security account (not the management account) to own the deployment. What is the MOST operationally efficient approach?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company must prove to auditors that no member account in their AWS Organization can disable AWS Config recording or delete the organization CloudTrail trail without immediate detection and automatic re-enablement. Account administrators in member accounts currently hold broad IAM permissions that include config and cloudtrail actions. Which combination of controls BEST enforces this governance requirement with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 10 of 20

A media company allows external partners to upload files directly to an S3 bucket that feeds a downstream processing pipeline. The security team wants an automated, managed solution that scans newly uploaded objects for malware and prevents the pipeline from processing infected files, with minimal custom code and no need to manage scanning infrastructure. Which approach best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

A company has 40 AWS accounts managed in AWS Organizations and is adding roughly 5 new accounts per quarter. The security team wants Amazon GuardDuty findings from all accounts—including any account created in the future—to be centrally visible and managed from a single dedicated security account, with minimal ongoing manual effort. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 12 of 20

A company runs production microservices on Amazon EKS. The security team wants to detect runtime threats inside containers, such as processes connecting to known cryptomining domains or containers escaping to the host, while minimizing operational overhead. They already have GuardDuty enabled with foundational data sources. What is the MOST operationally efficient way to achieve container-level runtime threat detection?

Reviewed for accuracy · Report an issue
Question 13 of 20

A security team has enabled Amazon GuardDuty across an AWS Organization with a delegated administrator account. A dedicated vulnerability scanning EC2 instance runs authorized port scans against internal subnets every night as part of the compliance program. GuardDuty repeatedly generates 'Recon:EC2/Portscan' findings for this instance, flooding the security team's ticketing queue and desensitizing analysts to genuine threats. The team wants to stop these specific benign findings from consuming analyst attention while ensuring the same finding type is still generated and investigated when it originates from ANY other instance. What is the MOST operationally efficient approach?

Reviewed for accuracy · Report an issue
Question 14 of 20

A financial services company must continuously detect any IAM roles, S3 buckets, KMS keys, or other resources across their AWS Organization that grant access to external principals (accounts outside the organization). The security team wants a fully managed solution that generates findings when such external access is detected, aggregates them centrally, and requires minimal custom code. Auditors also require evidence that findings are reviewed and archived when access is intentional. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 15 of 20

A company must enforce a policy that all IAM user access keys across 50 member accounts in AWS Organizations are automatically deactivated after 90 days and users notified. A DevOps engineer wants a centrally managed, event-driven solution that runs without deploying and maintaining code in every account. Which approach best meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 16 of 20

A company uses AWS IAM Identity Center (successor to AWS SSO) with permission sets federated from an external identity provider. A compliance auditor requires that all human access to production accounts must automatically expire after a maximum of 1 hour and that every console and CLI action performed through federated access is captured in a tamper-evident, centrally aggregated audit trail. Currently, permission sets grant an 8-hour session and CloudTrail is enabled only in each member account. Which combination of changes BEST meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 17 of 20

A company allows individual application teams to create their own IAM roles for Lambda functions and EC2 instances so they can move quickly. The security team is concerned that developers could create roles with more privileges than they themselves hold, effectively escalating privileges. The security team wants to let developers continue self-servicing IAM role creation, but guarantee that no role they create can ever exceed a defined maximum set of permissions, and that developers cannot bypass the control by editing or deleting it. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 20

A company stores database credentials in AWS Secrets Manager in a central security account (Account A). Application workloads running in a separate workload account (Account B) must retrieve these credentials at runtime. The security team requires that the secret be encrypted with a customer managed KMS key and that credentials automatically rotate every 30 days. After configuring cross-account IAM roles in Account B, the applications receive an AccessDeniedException when calling GetSecretValue. What combination of configurations is required to resolve the access issue while meeting the requirements?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company uses AWS Secrets Manager to store database credentials for an Amazon RDS for PostgreSQL instance. A DevOps engineer configured automatic rotation with a custom Lambda rotation function using the four-step rotation model. After deploying, the rotation runs but applications intermittently fail to authenticate immediately after each rotation event, receiving 'password authentication failed' errors for a brief period. Investigation shows the Lambda function updates the password in RDS during the createSecret step. Which change to the rotation function will resolve the intermittent authentication failures?

Reviewed for accuracy · Report an issue
Question 20 of 20

A financial services company discovers during an audit that several Lambda functions and ECS tasks read database credentials from environment variables set at deployment time. The security team must remediate this so that credentials are never stored statically in task definitions or function configuration, are automatically rotated every 30 days, and any access to the credentials is captured in a centralized audit trail for compliance reporting. Which approach BEST meets all of these requirements?

Reviewed for accuracy · Report an issue

More DOP-C02 practice

Keep going with the other AWS Certified DevOps Engineer - Professional domains, or take a full timed mock exam.

← Back to DOP-C02 overview