AWS Certified DevOps Engineer – Professional (DOP-001)
Sample Exam Questions
1) A company controls the source code for its product in AWS CodeCommit. The company is creating a
CI/CD pipeline for the product using AWS CodePipeline. The pipeline must automatically start on
changes to the master branch of the CodeCommit repository. Changes are made to the application
every day, so the pipeline needs to be as responsive as possible.
Which actions should the DevOps Engineer take to meet these requirements?
A. Configure the pipeline to periodically check the repository. Start the pipeline when changes are detected.
B. Configure the repository to generate an Amazon CloudWatch Events event upon changes. Configure the
pipeline to start in response to the event.
C. Configure the repository to periodically run an AWS Lambda function. The function should check the
repository and start the pipeline when changes are detected.
D. Configure the repository to publish an SNS notification upon changes. Subscribe the pipeline to the
Amazon SNS topic.
2) A Development team wants to set up an AWS CodeCommit repository. Developers should be able
push changes to their own branches, but they should not be allowed to push commits or merge pull
requests into the master branch. Additionally, whenever a commit or merge occurs into the master
branch, the Project Manager needs to receive a notification.
Which combination of steps will protect the master branch and send the alert with the shortest delay?
(Select TWO.)
A. Attach an AWS IAM policy to the developer IAM group that denies the actions of pushing commits,
merging pull requests, and adding files to the master branch.
B. Attach a resource policy to the CodeCommit repository that denies members of the IAM developer group
the actions of pushing commits, merging pull requests, and adding files to the master branch.
C. Set up a an AWS Lambda function that runs every 15 minutes to check for repository changes and
publishes a notification to an Amazon SNS topic.
D. Set up an Amazon CloudWatch Events rule triggered by a CodeCommit Repository State Change
event for the master branch and add an Amazon SNS topic as a target.
E. Configure AWS CloudTrail to send log events to Amazon CloudWatch Logs. Define a metric filter to
identify repository events. Create a CloudWatch alarm with an Amazon SNS topic as a target.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved | aws.amazon.com 1|Page
, AWS Certified DevOps Engineer – Professional (DOP-001)
Sample Exam Questions
3) A company is using AWS CodeBuild to build its application. Company policy requires that all build
artifacts be encrypted at rest. Access to the artifacts must be limited to IAM users with permission to
assume the operations role.
How can these requirements be met?
A. Add a post-build command to the CodeBuild build specification that pushes build objects to an Amazon
S3 bucket. Set a bucket policy that prevents upload to the bucket unless the request includes the header
x-amz-server-side-encryption. Add a Deny statement for all actions with the NotPrincipal
section referencing the operations IAM group.
B. Add a post-build command to the CodeBuild build specification that pushes build objects to an Amazon
S3 bucket. Configure an S3 event notification to trigger an AWS Lambda function to get the object,
encrypt it, then put it back into the S3 bucket with an encrypted tag key and a true tag value. Add an
S3 bucket policy with a Deny statement for all actions with the NotPrincipal section referencing the
operations IAM group, and a Condition section referencing the Encrypted tag.
C. Add a post-build command to the CodeBuild build specification that pushes build objects to an Amazon
S3 bucket that has S3 default encryption enabled. Set an S3 bucket policy containing a Deny statement
for all actions with the NotPrincipal section referencing the operations IAM role.
D. Add a post-build command to the CodeBuild build specification that calls the AWS KMS Encrypt API
call, passing the artifact to AWS KMS for encryption with a specified customer master key (CMK). Push
the encrypted artifact to an Amazon S3 bucket, then set up the IAM operations group as the only key user
for that CMK in AWS KMS.
4) A DevOps Engineer wants to implement a blue/green deployment process for an application on AWS
and be able to gradually shift the traffic between the environments. The application runs on Amazon
EC2 instances behind an ELB Application Load Balancer. The instances run in an EC2 Auto Scaling
group. Data is stored in an Amazon RDS Multi-AZ DB instance. External DNS is provided by Amazon
Route 53.
Which combination of steps will implement the blue/green process? (Select THREE.)
A. Create a second Auto Scaling group behind the same Application Load Balancer.
B. Create a second Application Load Balancer and Auto Scaling group.
C. Create a second alias record in Route 53 pointing to the new environment and use a failover routing
policy between the two records.
D. Create a second alias record in Route 53 pointing to the new environment and use a weighted routing
policy between the two records.
E. Configure the new EC2 instances to use the same RDS database instance.
F. Configure the new EC2 instances to use the failover node of the RDS database instance.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved | aws.amazon.com 2|Page
Sample Exam Questions
1) A company controls the source code for its product in AWS CodeCommit. The company is creating a
CI/CD pipeline for the product using AWS CodePipeline. The pipeline must automatically start on
changes to the master branch of the CodeCommit repository. Changes are made to the application
every day, so the pipeline needs to be as responsive as possible.
Which actions should the DevOps Engineer take to meet these requirements?
A. Configure the pipeline to periodically check the repository. Start the pipeline when changes are detected.
B. Configure the repository to generate an Amazon CloudWatch Events event upon changes. Configure the
pipeline to start in response to the event.
C. Configure the repository to periodically run an AWS Lambda function. The function should check the
repository and start the pipeline when changes are detected.
D. Configure the repository to publish an SNS notification upon changes. Subscribe the pipeline to the
Amazon SNS topic.
2) A Development team wants to set up an AWS CodeCommit repository. Developers should be able
push changes to their own branches, but they should not be allowed to push commits or merge pull
requests into the master branch. Additionally, whenever a commit or merge occurs into the master
branch, the Project Manager needs to receive a notification.
Which combination of steps will protect the master branch and send the alert with the shortest delay?
(Select TWO.)
A. Attach an AWS IAM policy to the developer IAM group that denies the actions of pushing commits,
merging pull requests, and adding files to the master branch.
B. Attach a resource policy to the CodeCommit repository that denies members of the IAM developer group
the actions of pushing commits, merging pull requests, and adding files to the master branch.
C. Set up a an AWS Lambda function that runs every 15 minutes to check for repository changes and
publishes a notification to an Amazon SNS topic.
D. Set up an Amazon CloudWatch Events rule triggered by a CodeCommit Repository State Change
event for the master branch and add an Amazon SNS topic as a target.
E. Configure AWS CloudTrail to send log events to Amazon CloudWatch Logs. Define a metric filter to
identify repository events. Create a CloudWatch alarm with an Amazon SNS topic as a target.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved | aws.amazon.com 1|Page
, AWS Certified DevOps Engineer – Professional (DOP-001)
Sample Exam Questions
3) A company is using AWS CodeBuild to build its application. Company policy requires that all build
artifacts be encrypted at rest. Access to the artifacts must be limited to IAM users with permission to
assume the operations role.
How can these requirements be met?
A. Add a post-build command to the CodeBuild build specification that pushes build objects to an Amazon
S3 bucket. Set a bucket policy that prevents upload to the bucket unless the request includes the header
x-amz-server-side-encryption. Add a Deny statement for all actions with the NotPrincipal
section referencing the operations IAM group.
B. Add a post-build command to the CodeBuild build specification that pushes build objects to an Amazon
S3 bucket. Configure an S3 event notification to trigger an AWS Lambda function to get the object,
encrypt it, then put it back into the S3 bucket with an encrypted tag key and a true tag value. Add an
S3 bucket policy with a Deny statement for all actions with the NotPrincipal section referencing the
operations IAM group, and a Condition section referencing the Encrypted tag.
C. Add a post-build command to the CodeBuild build specification that pushes build objects to an Amazon
S3 bucket that has S3 default encryption enabled. Set an S3 bucket policy containing a Deny statement
for all actions with the NotPrincipal section referencing the operations IAM role.
D. Add a post-build command to the CodeBuild build specification that calls the AWS KMS Encrypt API
call, passing the artifact to AWS KMS for encryption with a specified customer master key (CMK). Push
the encrypted artifact to an Amazon S3 bucket, then set up the IAM operations group as the only key user
for that CMK in AWS KMS.
4) A DevOps Engineer wants to implement a blue/green deployment process for an application on AWS
and be able to gradually shift the traffic between the environments. The application runs on Amazon
EC2 instances behind an ELB Application Load Balancer. The instances run in an EC2 Auto Scaling
group. Data is stored in an Amazon RDS Multi-AZ DB instance. External DNS is provided by Amazon
Route 53.
Which combination of steps will implement the blue/green process? (Select THREE.)
A. Create a second Auto Scaling group behind the same Application Load Balancer.
B. Create a second Application Load Balancer and Auto Scaling group.
C. Create a second alias record in Route 53 pointing to the new environment and use a failover routing
policy between the two records.
D. Create a second alias record in Route 53 pointing to the new environment and use a weighted routing
policy between the two records.
E. Configure the new EC2 instances to use the same RDS database instance.
F. Configure the new EC2 instances to use the failover node of the RDS database instance.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved | aws.amazon.com 2|Page
