Introduction
Practicing with realistic questions is one of the most effective ways to prepare for the AWS Certified DevOps Engineer – Professional (DOP-C02) exam. Unlike associate-level exams, DOP-C02 questions are scenario-heavy and require you to evaluate multiple valid approaches before selecting the best one.
Below are 20 practice questions organized by exam domain. Each question includes a detailed explanation so you understand not just the correct answer, but why the other options fall short.
Domain 1: SDLC Automation (22%)
Question 1
A development team uses AWS CodePipeline with CodeBuild and CodeDeploy. They need to ensure that every code change passes integration tests before reaching the staging environment. The pipeline must automatically roll back if integration tests fail.
What is the most efficient approach?
A. Add a CodeBuild action after the deploy stage that runs integration tests, and use CloudWatch alarms to trigger rollback.
B. Add a CodeBuild test action between the build and deploy stages. Configure the pipeline to stop on failure.
C. Use a Lambda function to run integration tests after deployment and invoke CodeDeploy rollback on failure.
D. Configure CodeDeploy lifecycle hooks to run integration tests during the AfterInstall event.
Show Answer
Answer: B
Adding a CodeBuild test action between build and deploy stages is the most efficient approach. If the tests fail, the pipeline stops automatically and the code never reaches staging. Options A and C test after deployment, which means the bad code is already deployed before tests run. Option D uses lifecycle hooks, which are meant for deployment validation, not full integration test suites.
Question 2
A company wants to implement canary deployments for their Lambda functions. When a new version is deployed, 10% of traffic should shift to the new version. If the error rate exceeds 1% during the canary period, the deployment must automatically roll back.
Which approach meets these requirements?
A. Use CodeDeploy with a Lambda deployment preference type of Canary10Percent5Minutes and configure a CloudWatch alarm on the Lambda error metric as a rollback trigger.
B. Create a weighted alias in Lambda manually and adjust weights using a Step Functions workflow.
C. Use API Gateway canary release with a 10% traffic split and manual rollback.
D. Configure an Application Load Balancer with weighted target groups pointing to different Lambda versions.
Show Answer
Answer: A
CodeDeploy natively supports Lambda canary deployments with built-in traffic shifting and automatic rollback based on CloudWatch alarms. The Canary10Percent5Minutes preference shifts 10% of traffic initially, then completes the deployment after 5 minutes if no alarms trigger. This is the AWS-recommended approach for safe Lambda deployments.
Question 3
A team manages multiple microservices, each in its own CodeCommit repository. They want a single CodePipeline that triggers when any of these repositories receives a push to the main branch.
What is the best solution?
A. Create an EventBridge rule for each repository that triggers the same CodePipeline.
B. Use a single CodePipeline with multiple source stages, one per repository.
C. Create a Lambda function that polls each repository and triggers the pipeline.
D. Use SNS topics from each repository to fan out notifications that trigger the pipeline.
Show Answer
Answer: A
EventBridge rules can detect CodeCommit repository state changes and trigger a CodePipeline execution. Creating one rule per repository that targets the same pipeline is clean, event-driven, and scalable. Option B doesn’t work because CodePipeline can only have one source stage. Option C involves polling, which is inefficient. Option D adds unnecessary complexity.
Question 4
A DevOps engineer needs to ensure that Docker images pushed to Amazon ECR are scanned for vulnerabilities before being deployed. Images with critical vulnerabilities must not be deployed.
Which solution automates this requirement?
A. Enable ECR image scanning on push. Use an EventBridge rule to detect scan completion, trigger a Lambda function that checks findings, and update an SSM parameter with the approval status. Configure CodePipeline to check the parameter before deploying.
B. Use a third-party scanning tool in the CodeBuild stage and fail the build if vulnerabilities are found.
C. Enable ECR image scanning and manually review results before approving deployments.
D. Use AWS Inspector to scan running containers and stop deployments with critical findings.
Show Answer
Answer: A
This solution automates the entire workflow: ECR scans on push, EventBridge detects completion, Lambda evaluates findings, and the pipeline gate prevents deployment of vulnerable images. Option B works but relies on third-party tools instead of native AWS services. Option C requires manual intervention. Option D scans running containers, not images before deployment.
Domain 2: Configuration Management and Infrastructure as Code (17%)
Question 5
A company uses CloudFormation to manage infrastructure across development, staging, and production accounts. They need to ensure that production stacks cannot accidentally delete RDS databases or DynamoDB tables.
What is the best approach?
A. Add DeletionPolicy: Retain to all critical resources and create a stack policy that denies updates to those resources.
B. Use IAM policies to prevent CloudFormation from deleting database resources.
C. Enable termination protection on the CloudFormation stack.
D. Create a separate stack for database resources with no update permissions.
Show Answer
Answer: A
Combining DeletionPolicy: Retain with stack policies provides comprehensive protection. DeletionPolicy: Retain ensures resources are preserved even if the stack is deleted. Stack policies prevent accidental updates or replacements of critical resources during stack updates. Option C prevents stack deletion but doesn’t protect individual resources during updates. Options B and D are overly restrictive and harder to manage.
Question 6
A DevOps team needs to deploy the same CloudFormation template across 15 AWS accounts in 3 regions. The deployment must be automated and track success or failure for each account-region combination.
Which solution is most appropriate?
A. Use CloudFormation StackSets with service-managed permissions and automatic deployment enabled for the target organizational units.
B. Write a script that assumes roles in each account and deploys stacks sequentially.
C. Use CodePipeline with 15 deployment stages, one per account.
D. Store templates in S3 and use Lambda to deploy across accounts using cross-account roles.
Show Answer
Answer: A
CloudFormation StackSets are purpose-built for multi-account, multi-region deployments. Service-managed permissions with AWS Organizations integration simplify cross-account access. Automatic deployment ensures new accounts in the OU automatically receive the stack. StackSets track deployment status per account-region combination natively.
Question 7
An engineer is updating a CloudFormation stack that includes an Auto Scaling group. They want to preview exactly which resources will be modified, replaced, or deleted before executing the update.
What should they use?
A. CloudFormation change sets
B. CloudFormation drift detection
C. CloudFormation stack policy
D. CloudFormation validate-template
Show Answer
Answer: A
Change sets let you preview how proposed changes will affect running resources before executing. You can see which resources will be added, modified, or replaced. Drift detection checks for out-of-band changes, not planned updates. Stack policies prevent changes but don’t preview them. validate-template checks syntax, not impact.
Domain 3: Monitoring, Logging, and Remediation (26%)
Question 8
An application running on ECS Fargate experiences intermittent latency spikes. The DevOps team needs to identify which downstream service calls are causing the slowdowns.
Which AWS service provides this capability?
A. AWS X-Ray with active tracing enabled on the ECS task definition
B. CloudWatch Container Insights with enhanced monitoring
C. VPC Flow Logs with CloudWatch Logs Insights analysis
D. CloudWatch ServiceLens with embedded metrics
Show Answer
Answer: A
X-Ray provides distributed tracing that visualizes the entire request path across services, including latency breakdown per downstream call. With active tracing on ECS tasks, X-Ray captures trace data for each request, creating service maps that pinpoint exactly which service introduces latency. Container Insights shows container-level metrics but not per-request trace data.
Question 9
A company needs to detect when an IAM user creates an access key and automatically disable it if the user already has two active access keys. The solution must work across all regions.
Which approach meets this requirement?
A. Create a CloudTrail trail that logs to a centralized S3 bucket. Use an EventBridge rule in the management account to detect CreateAccessKey API calls, trigger a Lambda function that checks the user’s active keys and disables the newest one if the count exceeds two.
B. Use AWS Config with a custom rule that evaluates IAM users and remediates using Systems Manager.
C. Enable CloudWatch metrics for IAM and create an alarm when access key count exceeds two.
D. Use GuardDuty to detect anomalous IAM activity and trigger remediation.
Show Answer
Answer: A
EventBridge can capture CloudTrail API events in near real-time. By detecting CreateAccessKey events, a Lambda function can immediately check the user’s key count and disable the excess key. This is event-driven and acts within seconds. AWS Config evaluates periodically, not in real-time. CloudWatch doesn’t have native IAM key count metrics. GuardDuty detects threats, not policy violations.
Question 10
A DevOps engineer needs to set up centralized logging for applications running across multiple AWS accounts. Logs must be searchable, retained for 1 year, and cost-optimized.
Which architecture is most appropriate?
A. Configure CloudWatch Logs in each account with subscription filters that stream logs to a centralized account’s Kinesis Data Firehose, which delivers to S3 with lifecycle policies. Use CloudWatch Logs Insights for searching recent logs and Athena for historical queries.
B. Install the CloudWatch agent in each account and configure it to send logs directly to the central account.
C. Use CloudWatch cross-account observability to query logs across accounts.
D. Export logs from each account to S3 daily using CloudWatch export tasks.
Show Answer
Answer: A
This architecture balances searchability, retention, and cost. Subscription filters stream logs in near real-time to a central account. Kinesis Data Firehose delivers to S3 for long-term, cost-effective storage. CloudWatch Logs Insights handles recent log queries, while Athena queries historical S3 data. Option C works but may have higher costs at scale. Option D has a 12-hour delay, making it unsuitable for operational use.
Question 11
An Auto Scaling group must scale based on a custom application metric that measures queue depth per running instance. The metric doesn’t exist natively in CloudWatch.
How should the engineer implement this?
A. Publish the custom metric from the application using the CloudWatch PutMetricData API. Create a target tracking scaling policy using the custom metric.
B. Use CloudWatch Metric Math to divide SQS ApproximateNumberOfMessages by the ASG GroupInFlightInstances metric, then create a target tracking policy.
C. Create a Lambda function that calculates the metric and updates the ASG desired capacity directly.
D. Use Step Scaling policies with CloudWatch alarms based on SQS queue metrics.
Show Answer
Answer: A
Publishing custom metrics via PutMetricData API is the standard approach for metrics that don’t exist natively. Target tracking scaling policies work with custom metrics and automatically adjust capacity to maintain the target value. Option B uses Metric Math which can work but is more complex. Option C bypasses Auto Scaling intelligence. Option D with step scaling is less responsive than target tracking.
Domain 4: Policies and Standards Automation (20%)
Question 12
A security team requires that all S3 buckets across the organization have server-side encryption enabled. Non-compliant buckets must be automatically remediated within 1 hour.
Which solution provides automated detection and remediation?
A. Deploy an AWS Config managed rule s3-bucket-server-side-encryption-enabled with an automatic remediation action that uses a Systems Manager Automation document to enable default encryption.
B. Create a Lambda function that runs hourly to scan all buckets and enable encryption.
C. Use S3 bucket policies to deny unencrypted uploads.
D. Create an SCP that prevents creating unencrypted buckets.
Show Answer
Answer: A
AWS Config continuously evaluates resources against rules. The managed rule detects non-compliant buckets, and automatic remediation triggers an SSM Automation document to enable encryption. This is event-driven and handles both existing and new buckets. Option B requires polling. Options C and D are preventive controls that don’t remediate existing non-compliant buckets.
Question 13
A company wants to enforce that all EC2 instances launched in production accounts must use approved AMIs from a centralized AMI catalog. Instances launched with unapproved AMIs should be automatically terminated.
What is the best approach?
A. Create an AWS Config custom rule that checks the AMI ID against an approved list stored in SSM Parameter Store. Configure automatic remediation with an SSM Automation document that terminates non-compliant instances.
B. Use an SCP to restrict ec2:RunInstances to specific AMI IDs.
C. Create a Lambda function triggered by CloudTrail RunInstances events that terminates instances with unapproved AMIs.
D. Use IAM policies with condition keys to restrict instance launches to approved AMIs.
Show Answer
Answer: A
AWS Config with custom rules provides continuous compliance evaluation and automated remediation. Storing the approved AMI list in SSM Parameter Store makes it easy to update without modifying the rule. The SSM Automation document handles termination. Option B with SCPs works for prevention but is harder to maintain as AMI lists change. Option C works but is less managed than Config. Option D requires policy updates for every AMI change.
Question 14
A DevOps team needs to rotate database credentials stored in AWS Secrets Manager automatically every 30 days. Applications must not experience downtime during rotation.
Which approach ensures zero-downtime rotation?
A. Configure Secrets Manager automatic rotation with a multi-user rotation strategy. Use two database users alternately, so one is always active while the other’s credentials are being rotated.
B. Configure single-user rotation and update application configuration immediately after rotation.
C. Use Parameter Store with a Lambda function that rotates passwords monthly.
D. Store credentials in environment variables and update them during maintenance windows.
Show Answer
Answer: A
The multi-user (alternating users) rotation strategy ensures zero downtime. Secrets Manager creates two database users and alternates between them during rotation. While one user’s credentials are being changed, the application uses the other. Single-user rotation (Option B) has a brief window where the old credentials are invalid and new ones haven’t propagated.
Domain 5: Incident and Event Response (15%)
Question 15
A production web application experiences a sudden spike in 5xx errors. The DevOps team needs an automated system that detects this condition, captures diagnostic data, and notifies the on-call engineer within 5 minutes.
Which solution meets these requirements?
A. Create a CloudWatch alarm on the ALB HTTPCode_Target_5XX_Count metric with a 1-minute evaluation period. Configure the alarm action to trigger an SNS topic that invokes a Lambda function to capture thread dumps and heap snapshots, then notifies the on-call engineer via SNS.
B. Use CloudWatch Logs metric filters to count 5xx errors and create a dashboard for monitoring.
C. Configure X-Ray to detect error spikes and send notifications.
D. Use EventBridge Scheduler to run a Lambda function every 5 minutes that checks error rates.
Show Answer
Answer: A
CloudWatch alarms with 1-minute periods detect the condition quickly. The Lambda function captures diagnostic data that’s critical for troubleshooting, and SNS ensures the on-call engineer is notified. This entire chain executes within minutes. Option B creates a dashboard but doesn’t notify anyone. Option C doesn’t have built-in alerting for error rate spikes. Option D polls every 5 minutes, introducing unnecessary delay.
Question 16
During an incident, a DevOps engineer discovers that an Auto Scaling group is launching instances that immediately fail health checks and get terminated, causing a loop. What is the fastest way to stabilize the environment?
A. Suspend the ReplaceUnhealthy and Launch Auto Scaling processes, investigate the root cause, fix the launch configuration or template, then resume the processes.
B. Delete the Auto Scaling group and recreate it with a working configuration.
C. Set the desired capacity to 0 and investigate.
D. Detach all instances and manually launch new ones.
Show Answer
Answer: A
Suspending specific Auto Scaling processes stops the launch-terminate loop while preserving existing healthy instances. This gives you time to investigate the root cause (bad AMI, failed user data script, misconfigured health checks) without losing capacity or destroying the ASG configuration. Option B is destructive. Option C removes all capacity. Option D is manual and doesn’t prevent new launches.
Question 17
A company needs to implement automated rollback for ECS deployments. If the new task definition causes the service’s average response time to exceed 500ms, the deployment should roll back to the previous version.
Which approach provides this capability?
A. Enable ECS circuit breaker with deployment rollback. Create a CloudWatch alarm on the ALB TargetResponseTime metric. Configure CodeDeploy with the alarm as a rollback trigger for the ECS deployment.
B. Use a Lambda function that monitors response time and calls ECS UpdateService with the previous task definition.
C. Configure ECS service auto-scaling to scale down tasks with high response times.
D. Use X-Ray to detect latency and trigger a Step Functions workflow to roll back.
Show Answer
Answer: A
ECS circuit breaker combined with CloudWatch alarm-based rollback provides automated, metrics-driven deployment safety. CodeDeploy monitors the alarm during deployment and automatically rolls back if the alarm triggers. This is the AWS-native approach for ECS deployment safety. Option B requires custom code. Option C scales containers but doesn’t roll back the deployment. Option D adds unnecessary complexity.
Mixed Domain Questions
Question 18
A company is migrating from Jenkins to AWS-native CI/CD tools. They need to replicate a Jenkins pipeline that builds a Java application, runs unit tests, creates a Docker image, pushes to a registry, and deploys to ECS with blue-green deployment.
Which AWS services should they use for each stage?
A. CodeCommit (source) → CodeBuild (build, test, Docker image) → ECR (registry) → CodeDeploy with ECS blue-green deployment, orchestrated by CodePipeline.
B. CodeCommit → CodeBuild → ECR → ECS rolling update via CloudFormation, orchestrated by CodePipeline.
C. CodeCommit → Lambda (build) → ECR → ECS blue-green via manual alias switching.
D. S3 (source) → CodeBuild → DockerHub → ECS rolling update via CLI scripts.
Show Answer
Answer: A
This is the standard AWS-native CI/CD architecture. CodePipeline orchestrates the workflow. CodeBuild handles building, testing, and Docker image creation. ECR stores the image. CodeDeploy manages ECS blue-green deployments with traffic shifting and rollback capabilities. Option B uses rolling updates, not blue-green. Option C uses Lambda for building, which has timeout limitations. Option D uses external services and manual processes.
Question 19
A DevOps engineer needs to implement a solution where CloudFormation stack deployments in production require approval from two different team leads before proceeding. The approval process must be auditable.
Which solution meets these requirements?
A. Use CodePipeline with a manual approval action that sends notifications to both team leads via SNS. Configure the approval action to require approval from both before proceeding to the CloudFormation deploy stage. All approval actions are logged in CloudTrail.
B. Create a Step Functions workflow that sends emails and waits for two API callbacks.
C. Use CloudFormation stack policies that require two IAM users to approve.
D. Implement a custom approval web application that integrates with CodePipeline via API.
Show Answer
Answer: A
CodePipeline’s manual approval actions are designed for this use case. You can add two sequential approval actions, each requiring a different approver. SNS sends notification emails. All approval and rejection actions are logged in CloudTrail for auditing. Option B works but is over-engineered. Option C doesn’t exist. Option D adds unnecessary custom infrastructure.
Question 20
A multi-account organization needs to ensure that CloudTrail is enabled in all accounts and cannot be disabled by individual account administrators. What is the most effective approach?
A. Create an organization trail in the management account with AWS Organizations integration. Apply an SCP to member accounts that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail actions.
B. Use AWS Config to check if CloudTrail is enabled and remediate by re-enabling it.
C. Deploy CloudTrail in each account using CloudFormation StackSets.
D. Use a Lambda function that periodically checks CloudTrail status across accounts.
Show Answer
Answer: A
Organization trails automatically log events for all accounts in the organization from the management account. The SCP prevents member accounts from disabling or deleting the trail. This is the strongest guarantee. Option B is reactive, not preventive. Option C deploys trails but can’t prevent deletion. Option D is polling-based and has gaps.
How to Use These Practice Questions
These questions represent the style and difficulty of the actual DOP-C02 exam. Here’s how to get the most from them:
- Attempt each question before reading the answer. Time yourself to spend no more than 3 minutes per question.
- Read all explanations, even for questions you got right. Understanding why wrong answers are wrong is as valuable as knowing the right answer.
- Identify patterns. Notice how the exam favors AWS-native, event-driven, and automated solutions over manual or third-party approaches.
- Track your domain scores. If you struggle with monitoring questions, that’s where to focus your study time.
Ready for More Practice?
Twenty questions is a good start, but the actual DOP-C02 exam has 75 questions across 180 minutes. Consistent practice with exam-realistic questions is the best predictor of passing.
Sailor’s DOP-C02 mock exam bundle includes hundreds of scenario-based questions with detailed explanations for every answer. Each question maps to a specific exam domain, so you can track your readiness across all five domains and focus your remaining study time where it matters most.
Related Resources
- DOP-C02 Exam Guide 2026 — Complete breakdown of exam format, domains, and passing requirements
- 10-Week DOP-C02 Study Plan — Structured preparation schedule with hands-on projects