Pass the Amazon Web Services AWS Certified Professional DOP-C02 Questions and answers with CertsForce

AWS CDK recommends using Level 3 (L3) custom constructs to encapsulate reusable multi-resource infrastructure patterns (networking, compute, DB). Then, define a single set of environment-aware stacks that accept environment parameters for deployment. This ensures consistency with minimal code duplication, per AWS CDK best practices and design patterns whitepaper.

https://docs.aws.amazon.com/codedeploy/latest/userguide/troubleshooting-deployments.html#troubleshooting-skipped-lifecycle-events

CodePipeline V2 with QUEUED mode ensures that new executions wait for the previous execution to finish, preventing overlapping runs.

Adding a trigger filter to listen for Git tags triggers the pipeline only on new tag pushes.

An EventBridge rule can detect new image pushes to ECR and start the deployment pipeline, integrating the build and deploy pipelines effectively.

SUPERSEDED mode cancels the previous run when a new one starts, which is not desired here.

Using branches instead of tags would trigger on all commits, not just releases.

Accessing a secret from AWS Secrets Manager that is encrypted with a customer managed KMS key requires two distinct permission layers to succeed:

Secrets Manager permissions (via IAM) such as secretsmanager:GetSecretValue for the IAM role assumed by the Kubernetes service account.

KMS key usage permissions in the KMS key policy , allowing the same IAM principal to perform kms:Decrypt (and possibly kms:GenerateDataKey ) on the customer managed key.

In this scenario, the service account assumes an IAM role explicitly created to access the secrets. The symptom is an HTTP 403 “Access Denied” when retrieving the secret. If the IAM role has Secrets Manager permissions but the call still fails, the typical root cause is that the KMS key policy does not trust or allow that IAM role , so the decrypt operation fails.

Option B correctly identifies that the KMS key policy must include the Kubernetes service account IAM role as a principal with the appropriate KMS actions.

Option A and C refer to the EKS cluster IAM role, which is not the principal making the call. Option D is unrelated: the role’s ability to “access the EKS cluster” does not affect its ability to call Secrets Manager or KMS. The missing KMS key policy permission is the underlying cause.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-logging-monitoring.html

Apply SCPs for Region and service restriction. Use CloudFormation StackSets to consistently deploy IAM roles with trust policies for SSO/AD integration. This model enforces governance uniformly across all accounts per AWS multi-account best practices.

To meet the requirements of migrating its on-premises Windows and Linux applications to AWS and creating a pilot light DR environment in another AWS Region, the company should use Amazon FSx for NetApp ONTAP for the application storage. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, high-performing, and feature-rich file storage built on NetApp’s popular ONTAP file system. FSx for ONTAP supports multiple protocols, including SMB for Windows and NFS for Linux, so the company can access the shared storage from both types of applications. FSx for ONTAP also supports NetApp SnapMirror replication, which enables the company to replicate the storage to the DR Region. NetApp SnapMirror replication is efficient, secure, and incremental, and it preserves the data deduplication and compression benefits of FSx for ONTAP. The company can use automation to launch and configure the EC2 instances in the DR Region and then use NetApp SnapMirror to restore the data from the primary Region.

The other options are not correct because they do not meet the requirements or follow best practices. Using Amazon S3 for the application storage is not a good option because S3 is an object storage service that does not support SMB or NFS protocols natively. The company would need to use additional services or software to mount S3 buckets as file systems, which would add complexity and cost. Using Amazon EBS for the application storage is also not a good option because EBS is a block storage service that does not support SMB or NFS protocols natively. The company would need to set up and manage file servers on EC2 instances to provide shared access to the EBS volumes, which would add overhead and maintenance. Using a Volume Gateway in AWS Storage Gateway for the application storage is not a valid option because Volume Gateway does not support SMB protocol. Volume Gateway only supports iSCSI protocol, which means that only Linux applications can access the shared storage.

1: What is Amazon FSx for NetApp ONTAP? - FSx for ONTAP

2: Amazon FSx for NetApp ONTAP

3: Amazon FSx for NetApp ONTAP | NetApp

4: AWS Announces General Availability of Amazon FSx for NetApp ONTAP

Replicating Data with NetApp SnapMirror - FSx for ONTAP

What Is Amazon S3? - Amazon Simple Storage Service

What Is Amazon Elastic Block Store (Amazon EBS)? - Amazon Elastic Compute Cloud

What Is AWS Storage Gateway? - AWS Storage Gateway

https://aws.amazon.com/blogs/mt/automate-remediation-actions-for-amazon-ec2-notifications-and-beyond-using-ec2-systems-manager-automation-and-aws-health/

This hook runs before the new application version is installed on the replacement instances. This is the best place to run the script because it ensures that the license file is downloaded and installed before the replacement instances start to handle request traffic. If you use any other hook, you may encounter errors or inconsistencies in your application.

The problem has two distinct requirements: securely managing rotating external API credentials and encrypting CodeBuild artifacts with a specific KMS key.

For credentials that must be reset each month and are sensitive, AWS Secrets Manager is the appropriate service, not Parameter Store. Secrets Manager provides built-in support for secret rotation, versioning, access control, and auditability. The external API credentials can be updated monthly either manually or via an automated rotation Lambda. CodeBuild can read the secret at build time by assuming an IAM role that allows secretsmanager:GetSecretValue .

To encrypt CodeBuild outputs, the correct pattern is to set the CODEBUILD_KMS_KEY_ID environment variable (or CodeBuild project setting) to the desired KMS key. The CodeBuild IAM service role must be granted kms:Encrypt , kms:Decrypt , and related actions on that KMS key via the key policy or IAM policy. This ensures build artifacts and logs are encrypted using the specified customer managed key.

Option C captures both requirements precisely: store credentials in Secrets Manager and update the KMS key policy for the CodeBuild role , not the CodePipeline role. Options A and B misuse Parameter Store and/or the wrong IAM principal. Option D updates the wrong role and does not connect the KMS key to CodeBuild’s artifact encryption.