Amazon Web Services AWS Certified DevOps Engineer - Professional DOP-C02 Exam Dumps: Updated Questions & Answers (May 2026)

The key requirement is to shift a small percentage of traffic to a new version first to validate changes before rolling out to the entire ECS service, thereby reducing downtime and deployment risk. For ECS services behind an Application Load Balancer, the AWS-recommended and most reliable approach is to use AWS CodeDeploy with blue/green or canary deployments .

Option B directly addresses this requirement. By configuring the ECS service to use CodeDeploy as the deployment controller , CodeDeploy can manage traffic shifting between two ALB target groups: one for the current (stable) version and one for the new version. The CodeDeployDefault.ECSCanary10Percent15Minutes deployment configuration initially routes 10% of production traffic to the new task set, monitors the deployment for issues, and then shifts the remaining traffic after the defined interval. This enables early detection of application errors while limiting user impact.

Option A and C rely on rolling updates , which replace tasks incrementally but do not provide precise traffic control or automated rollback based on health checks. Option D’s slow start setting only affects how quickly targets receive traffic after registration and does not implement true canary testing.

Therefore, using AWS CodeDeploy with ECS canary deployments is the most robust, AWS-supported solution to test changes safely before full rollout.

When deploying to a private Amazon EKS cluster, the Kubernetes API server endpoint is not accessible from the public internet, meaning standard CodePipeline deploy actions that use public endpoints cannot directly connect to the cluster. The correct approach is to use AWS CodeBuild running inside a VPC that has connectivity to the private EKS cluster. CodeBuild runs kubectl commands to apply Kubernetes manifests or Helm charts to update the application. Authentication credentials, specifically a kubeconfig file containing the cluster endpoint, certificate authority data, and an authentication token or exec plugin configuration, should be stored securely in AWS Secrets Manager and retrieved by the CodeBuild build environment at runtime. This approach provides secure, auditable, and repeatable deployments without exposing the EKS API server publicly. Options B and D incorrectly assume CodePipeline has a native action that can reach private EKS endpoints directly.

================

https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/

Step 1: Reducing Replication Lag in Aurora Global DatabasesIn Amazon Aurora global databases, write operations on the primary cluster can be delayed due to the time it takes to replicate to secondary clusters, especially when there are multiple secondary regions involved.

Issue: The write operations are occasionally blocked due to the RPO setting, which guarantees replication within 60 seconds.

Action: Remove one of the secondary clusters from the global database.

Why: Fewer secondary clusters will reduce the overall replication lag, improving write performance and reducing the frequency of blocked writes.

Apply SCPs for Region and service restriction. Use CloudFormation StackSets to consistently deploy IAM roles with trust policies for SSO/AD integration. This model enforces governance uniformly across all accounts per AWS multi-account best practices.

Use routing configuration on an alias to send a portion of traffic to a second function version. For example, you can reduce the risk of deploying a new version by configuring the alias to send most of the traffic to the existing version, and only a small percentage of traffic to the new version. https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

The following are the steps involved in the deploy stage configuration that will meet the requirements:

Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions.

Publish a new version of the functions, and include Amazon CloudWatch alarms.

Update the production alias to point to the new version.

Configure rollbacks to occur when an alarm is in the ALARM state.

This configuration will help to reduce the customer impact of an unsuccessful deployment by deploying the new version of the functions to a staging environment first. This will allow the DevOps engineer to test the new version of the functions before deploying it to production.

The configuration will also help to monitor for issues by including Amazon CloudWatch alarms. These alarms will alert the DevOps engineer if there are any problems with the new version of the functions.

This solution will meet the requirements because it will create a temporary copy of the production database using a snapshot, run the integration tests on the copy, and delete the copy after the tests are done. This way, the production database will not be affected by the code revisions, and the DevOps team can test the changes before deploying them to production. A buildspec file is a YAML file that contains the commands and settings that CodeBuild uses to run a build1. The buildspec file can specify the steps to restore the DB cluster from a snapshot, run the integration tests, and drop the restored database2

A bucket policy is a resource-based policy that defines who can access a specific S3 bucket and what actions they can perform on it. By removing unauthenticated access from the bucket policy, you can prevent anyone without valid credentials from accessing the bucket. A service role is an IAM role that allows an AWS service, such as CodeBuild, to perform actions on your behalf. By modifying the service role for the CodeBuild project to include Amazon S3 access, you can grant the project permission to read and write objects in the S3 bucket. The AWS CLI is a command-line tool that allows you to interact with AWS services, such as S3, using commands in your terminal. By using the AWS CLI to download the database population script, you can leverage the service role credentials and encryption to secure the data transfer.

For more information, you can refer to these web pages:

[Using bucket policies and user policies - Amazon Simple Storage Service]

[Create a service role for CodeBuild - AWS CodeBuild]

[AWS Command Line Interface]

Amazon S3 can generate server access logs that record detailed information about each request, including requester, bucket, key, operation, time, and status. These logs are written as objects to an S3 bucket. To analyze access patterns, the simplest and most serverless approach is to use Amazon Athena directly on those logs without building ingestion pipelines or databases.

Option B enables S3 server access logging and then creates an Athena external table over the log bucket. AWS provides standard log formats and even example schemas for S3 access logs. The analytics team can run ad hoc SQL queries to count the number of accesses per object per time period, filter by user, and perform aggregations, all without provisioning compute or managing databases.

Option A requires ingesting logs into Aurora, which adds ETL complexity and ongoing database management. Option C requires a Lambda function for every access event plus DB writes, which is more complex and potentially expensive at scale. Option D uses CloudWatch Logs and Managed Flink, which is more suited for streaming analytics and is significantly more complex than necessary for monthly summary reports.

Therefore, Option B provides the required analysis with the least development and operational effort.