AWS-DOP-C02 & AWS CERTIFICATION | Sample Questions - Domain 5: Incident & Event Response - AWS Certified DevOps Engineer

4.3.5. Sample Questions - Domain 5: Incident & Event Response

Question 1:

A company uses AWS Lambda functions for processing real-time data streams. They need to implement a mechanism to automatically trigger a Lambda function whenever new data arrives in an Amazon S3 bucket. Which AWS service should be configured to achieve this event-driven invocation?

A) Amazon SQS B) Amazon SNS C) Amazon EventBridge D) S3 Event Notifications

Correct Answer: D

Explanation:

A) Amazon SQS: SQS (Simple Queue Service) is a message queuing service. While Lambda can poll SQS queues, SQS itself doesn't directly trigger Lambda from S3 events.
B) Amazon SNS: SNS (Simple Notification Service) is a pub/sub messaging service. While SNS can be a target for S3 events, and Lambda can subscribe to SNS topics, it adds an unnecessary layer of indirection if the goal is direct Lambda invocation from S3.
C) Amazon EventBridge: EventBridge is a serverless event bus that makes it easier to connect applications together using data from your own applications, integrated SaaS applications, and AWS services. While EventBridge can receive S3 events, the most direct and native way to trigger a Lambda function from S3 is using S3 Event Notifications.
D) S3 Event Notifications: Amazon S3 can be configured to send notifications to various destinations (including Lambda functions, SQS queues, or SNS topics) when certain events occur in a bucket, such as s3:ObjectCreated:*. This is the most direct and native way to trigger a Lambda function in response to new objects being uploaded to an S3 bucket, aligning with the First Principle of Event-Driven Architecture and Loose Coupling.

Question 2:

A DevOps team wants to automate the remediation of non-compliant AWS resources. For example, if an S3 bucket is created without encryption enabled, they want a Lambda function to automatically enable default encryption on that bucket. Which AWS service combination can be used to detect this non-compliance and trigger the automated remediation?

A) AWS CloudTrail and Amazon SNS B) AWS Config and AWS Lambda C) Amazon CloudWatch and AWS Systems Manager D) AWS Security Hub and Amazon SQS

Correct Answer: B

Explanation:

A) AWS CloudTrail and Amazon SNS: CloudTrail records API calls, and SNS can send notifications. While CloudTrail can detect the event, it doesn't inherently provide the compliance rule evaluation or direct automated remediation trigger that Config does.
B) AWS Config and AWS Lambda: AWS Config continuously monitors and records your AWS resource configurations and evaluates them against desired configurations using Config Rules. When a resource is found to be non-compliant (e.g., an S3 bucket without encryption), AWS Config can trigger an AWS Lambda function to perform automated remediation actions, such as enabling encryption. This aligns with the First Principle of Automated Governance and Compliance as Code.
C) Amazon CloudWatch and AWS Systems Manager: CloudWatch monitors metrics and logs, and Systems Manager can automate operational tasks. While they can be part of a broader automation strategy, Config is specifically designed for continuous compliance monitoring and triggering remediation based on configuration changes.
D) AWS Security Hub and Amazon SQS: Security Hub aggregates security findings, and SQS is a message queue. While Security Hub can identify non-compliant resources, it typically integrates with other services for remediation, and SQS is a transport layer, not a direct trigger for automated remediation based on compliance rules.

Question 3:

During an incident, a critical application running on Amazon EC2 instances experiences intermittent performance degradation. The DevOps team needs to quickly identify the root cause, which could be related to CPU utilization, network I/O, or disk activity on the instances. Which AWS service provides the most granular metrics for these operational aspects of EC2 instances?

A) AWS CloudTrail B) AWS Config C) Amazon CloudWatch D) AWS X-Ray

Correct Answer: C

Explanation:

A) AWS CloudTrail: CloudTrail logs API calls, which are useful for auditing and security, but not for granular performance metrics of EC2 instances.
B) AWS Config: Config monitors resource configurations for compliance, not real-time performance metrics.
C) Amazon CloudWatch: Amazon CloudWatch is the primary monitoring service for AWS resources. It provides detailed metrics for EC2 instances, including CPU Utilization, Network In/Out, Disk Read/Write Operations, and more. These metrics are essential for identifying performance bottlenecks and troubleshooting operational issues, aligning with the First Principle of Proactive Monitoring and Performance Visibility.
D) AWS X-Ray: X-Ray is for distributed tracing of application requests, helping to identify performance bottlenecks within an application's components, but it doesn't provide the granular infrastructure metrics of individual EC2 instances.

Question 4:

A company needs to implement a robust notification system for critical alerts generated by their monitoring systems (e.g., CloudWatch Alarms). They require a service that can fan out notifications to multiple subscribers, including email, SMS, and triggering Lambda functions for custom actions. Which AWS service is best suited for this fan-out notification pattern?

A) Amazon SQS B) Amazon Kinesis C) Amazon SNS D) Amazon EventBridge

Correct Answer: C

Explanation:

A) Amazon SQS: SQS is a message queuing service, primarily used for decoupling microservices and handling asynchronous communication. While it can receive messages, it doesn't inherently provide the fan-out notification capabilities to multiple diverse subscribers like email, SMS, and Lambda.
B) Amazon Kinesis: Kinesis is a platform for streaming data. It's designed for high-throughput data ingestion and processing, not for general-purpose fan-out notifications to various endpoints.
C) Amazon SNS: Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service. It enables you to send messages to a large number of subscribers simultaneously, supporting various endpoints like email, SMS, HTTP/S endpoints, and AWS Lambda functions. This directly addresses the fan-out notification requirement, aligning with the First Principle of Decoupled Communication and Scalable Alerting.
D) Amazon EventBridge: EventBridge is a serverless event bus that makes it easier to connect applications together using data from your own applications, integrated SaaS applications, and AWS services. While it can route events to various targets, SNS is specifically designed for the fan-out notification pattern to multiple subscriber types.

Question 5:

During a production incident, the DevOps team needs to quickly access and execute pre-defined operational procedures (runbooks) to diagnose and resolve issues on their EC2 instances. They want to avoid manual SSH access and ensure that all actions are auditable and controlled. Which AWS service can be used to centralize and automate the execution of these runbooks on EC2 instances?

A) AWS CloudFormation B) AWS Systems Manager Automation C) AWS CodeDeploy D) AWS OpsWorks

Correct Answer: B

Explanation:

A) AWS CloudFormation: CloudFormation is for provisioning and managing infrastructure, not for executing operational runbooks on running instances.
B) AWS Systems Manager Automation: AWS Systems Manager Automation allows you to safely automate common and repetitive IT operations tasks across your AWS resources. You can create runbooks (Automation documents) that define a series of steps to perform, such as stopping/starting instances, applying patches, or troubleshooting. It provides centralized control, execution, and auditing of these operations without requiring direct SSH access, aligning with the First Principle of Automated Operations and Secure Management.
C) AWS CodeDeploy: CodeDeploy is a service that automates code deployments to various compute services. It's for deploying application code, not for executing general operational runbooks.
D) AWS OpsWorks: OpsWorks is a configuration management service that supports Chef and Puppet. While it can automate some operational tasks, Systems Manager Automation provides a more general-purpose and integrated solution for runbook automation across a wider range of AWS resources.