Amazon Web Services

Free DOP - AWS Certified DevOps Engineer - Professional Practice Questions

Test your knowledge with 10 free sample practice questions for the DOP - AWS Certified DevOps Engineer - Professional certification. Each question includes a detailed explanation to help you learn.

10 Questions

No time limit

Free - No signup required

Disclaimer: These are original, AI-generated practice questions created by ProctorPulse for exam preparation purposes. They are not sourced from any official exam and are not affiliated with or endorsed by Amazon Web Services. Use them as a study aid alongside official preparation materials.

Question 1: An organization wants to ensure that their application running on an EC2 instance can access an S3 bucket with the least privilege. Which IAM strategy should they use?

A. Create an IAM role for the EC2 instance with permissions to access the specific S3 bucket. (Correct Answer)
B. Assign an IAM user with full administrative access to the EC2 instance.
C. Attach an IAM policy directly to the EC2 instance with permissions to access any S3 bucket.
D. Use an IAM role for the EC2 instance but grant it access to all AWS services.

Explanation: Using an IAM role with specific permissions to access only the required S3 bucket ensures least privilege by restricting access to only the necessary resources. Option A is the correct choice as it involves assigning an IAM role with precise permissions, promoting security and compliance by adhering to the principle of least privilege.

Question 2: How can you enforce Multi-Factor Authentication (MFA) for users accessing sensitive AWS resources using IAM policy conditions?

A. By setting the 'aws:MultiFactorAuthPresent' condition key to 'true'. (Correct Answer)
B. By including the 'aws:SecureTransport' condition key in the policy.
C. By enabling MFA through the IAM console directly on resource policies.
D. By setting the 'aws:RequestTag' condition key to 'MFARequired'.

Explanation: To enforce MFA for accessing AWS resources, you use the IAM policy condition key 'aws:MultiFactorAuthPresent'. This key checks whether MFA is enabled for a request. Setting it to 'true' ensures that only requests authenticated with MFA will be allowed access, enhancing security for sensitive operations.

Question 3: An organization is reviewing its IAM policies to ensure security compliance. During the audit, several policy changes are identified. (Select all that apply) Which of these changes could potentially introduce security vulnerabilities?

A. A policy change allowing all users to have 'FullAccess' to all S3 buckets without conditions. (Correct Answer)
B. A policy modification granting EC2 instances the ability to assume any role in the account. (Correct Answer)
C. A policy update restricting access to the billing console to only the finance team.
D. A policy that grants Lambda functions permission to access DynamoDB tables only using specific tags.

Explanation: Option A introduces a vulnerability as it allows unrestricted access to all S3 buckets, which could lead to data exposure. Option B is risky because it grants EC2 instances the ability to assume any role, potentially leading to privilege escalation. Option C is a security enhancement as it restricts access to sensitive billing information. Option D is a controlled access approach, as it limits Lambda functions through specific tags, reducing the risk of unauthorized access.

Question 4: (Select all that apply) You are reviewing IAM policies to ensure they adhere to the principle of least privilege. Which of the following policies incorrectly grant root-level permissions?

A. Policy A: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]} (Correct Answer)
B. Policy B: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"ec2:*","Resource":"arn:aws:ec2:region:account-id:instance/*"}]}
C. Policy C: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}
D. Policy D: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*","Resource":"arn:aws:iam::account-id:user/*"}]} (Correct Answer)

Explanation: Policy A grants all actions on all resources, which is overly permissive and violates the principle of least privilege. Policy D allows all IAM actions, including potentially sensitive operations, on all users, which can also be considered as granting root-level permissions. Policies B and C are more restricted and do not grant root-level access.

Question 5: What steps should the IT team take to ensure their IAM policies comply with the company's security standards?

A. Review IAM policies using AWS IAM Access Analyzer to identify excessive permissions. (Correct Answer)
B. Enable AWS CloudTrail to log and monitor all IAM-related activities. (Correct Answer)
C. Implement MFA for all IAM users to enhance account security.
D. Regularly update IAM user passwords to meet compliance requirements.

Explanation: To audit IAM policies for compliance, it's crucial to identify any excessive permissions that may violate internal security standards, which can be done using AWS IAM Access Analyzer (Option A). Additionally, enabling AWS CloudTrail provides a logging mechanism to monitor IAM-related activities, ensuring ongoing compliance and the ability to detect policy violations (Option B). While implementing MFA (Option C) and updating passwords (Option D) are good security practices, they do not directly address auditing or compliance of IAM policies.

Question 6: (Select all that apply) Which practices should be implemented to ensure least privilege access within AWS IAM to protect sensitive resources?

A. Regularly review and rotate access keys for users with programmatic access. (Correct Answer)
B. Grant full administrative access to all users to simplify permissions management.
C. Implement role-based access control with specific permissions for different job functions. (Correct Answer)
D. Use resource-based policies to restrict actions on specific resources to certain users. (Correct Answer)

Explanation: To enforce least privilege, it is important to regularly review and rotate access keys to prevent unauthorized access. Implementing role-based access control ensures that users receive only the permissions necessary for their job function. Resource-based policies add an additional layer of control by restricting access to specific resources. Granting full administrative access contradicts the principle of least privilege and should be avoided.

Question 7: A company wants to ensure their IAM policies grant only the necessary permissions to their developers working on a new project. Which approach should they take to achieve this?

A. Assign a single, broad IAM policy that covers all possible tasks the developers might need.
B. Provide each developer with administrative access to ensure they can perform any required task.
C. Create specific IAM policies for each role that limit permissions to only those necessary for their tasks. (Correct Answer)
D. Use a default policy template provided by AWS without customization to streamline the process.

Explanation: To implement least privilege access, it's best to create specific IAM policies tailored to each role, granting only the necessary permissions required for their tasks. This minimizes the risk of over-provisioning and potential security breaches.

Question 8: What steps should you take to ensure IAM roles in your organization adhere to the principle of least privilege after identifying those with excessive permissions?

A. Modify the policies attached to the roles to remove unnecessary permissions based on their usage logs. (Correct Answer)
B. Delete the IAM roles with excessive permissions and recreate them with minimal permissions.
C. Implement a monitoring solution to alert when roles exceed their intended scope of actions. (Correct Answer)
D. Apply a blanket policy that restricts all roles to a minimal set of permissions and manually add permissions as needed.

Explanation: To adhere to the principle of least privilege, you should refine IAM policies by removing unnecessary permissions based on actual usage (Option A). Additionally, implementing a monitoring solution (Option C) helps maintain this principle over time by alerting you to any deviations from expected behavior. Deleting and recreating roles (Option B) is not efficient and can lead to service disruptions, while a blanket restrictive policy (Option D) can hinder operations and increase administrative overhead.

Question 9: You are tasked with setting up an IAM role in AWS to allow cross-account access from Account A to Account B with minimal privileges. What is a crucial step to ensure that only necessary permissions are granted to this IAM role?

A. Attach a policy to the IAM role that only allows specific actions needed for the tasks. (Correct Answer)
B. Create a trust policy that allows any principal from Account B to assume the role.
C. Use AWS Managed Policies to grant permissions to the IAM role.
D. Attach an inline policy to the IAM role that grants administrator access to Account B.

Explanation: To implement IAM roles with least privilege access, it is essential to attach a policy to the IAM role that permits only the specific actions required for the tasks the role will perform. This minimizes the risk of granting excessive permissions. Using AWS Managed Policies or granting administrator access might provide more permissions than necessary, violating the principle of least privilege.

Question 10: A company has an AWS IAM policy that grants permissions to several S3 buckets but includes an overly permissive statement. The policy allows 's3:*' on one of the buckets, which includes both sensitive and public data. What actions should you take to increase the security of this IAM policy? (Select all that apply)

A. Restrict the permissions to specific actions like 's3:GetObject' and 's3:PutObject'. (Correct Answer)
B. Implement a condition that checks if the request comes from a specific IP range. (Correct Answer)
C. Enable versioning on the S3 bucket to track changes to objects.
D. Create a separate IAM policy for sensitive data with more restrictive permissions. (Correct Answer)

Explanation: To secure the IAM policy, it's important to follow the principle of least privilege by specifying only the actions that are necessary (option A). Adding conditions such as IP address restrictions (option B) can help limit where requests can originate. Separating permissions for sensitive data (option D) ensures that additional controls can be applied. Enabling versioning (option C) is a good practice for data protection but does not directly mitigate the IAM policy's security risk.

Question 1Easy

An organization wants to ensure that their application running on an EC2 instance can access an S3 bucket with the least privilege. Which IAM strategy should they use?

ACreate an IAM role for the EC2 instance with permissions to access the specific S3 bucket.

BAssign an IAM user with full administrative access to the EC2 instance.

CAttach an IAM policy directly to the EC2 instance with permissions to access any S3 bucket.

DUse an IAM role for the EC2 instance but grant it access to all AWS services.

Question 2Medium

How can you enforce Multi-Factor Authentication (MFA) for users accessing sensitive AWS resources using IAM policy conditions?

ABy setting the 'aws:MultiFactorAuthPresent' condition key to 'true'.

BBy including the 'aws:SecureTransport' condition key in the policy.

CBy enabling MFA through the IAM console directly on resource policies.

DBy setting the 'aws:RequestTag' condition key to 'MFARequired'.

Question 3Medium

An organization is reviewing its IAM policies to ensure security compliance. During the audit, several policy changes are identified. (Select all that apply) Which of these changes could potentially introduce security vulnerabilities?

(Select all that apply)

AA policy change allowing all users to have 'FullAccess' to all S3 buckets without conditions.

BA policy modification granting EC2 instances the ability to assume any role in the account.

CA policy update restricting access to the billing console to only the finance team.

DA policy that grants Lambda functions permission to access DynamoDB tables only using specific tags.

Question 4Hard

(Select all that apply) You are reviewing IAM policies to ensure they adhere to the principle of least privilege. Which of the following policies incorrectly grant root-level permissions?

(Select all that apply)

APolicy A: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}

BPolicy B: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"ec2:*","Resource":"arn:aws:ec2:region:account-id:instance/*"}]}

CPolicy C: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}

DPolicy D: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:*","Resource":"arn:aws:iam::account-id:user/*"}]}

Question 5Medium

What steps should the IT team take to ensure their IAM policies comply with the company's security standards?

(Select all that apply)

AReview IAM policies using AWS IAM Access Analyzer to identify excessive permissions.

BEnable AWS CloudTrail to log and monitor all IAM-related activities.

CImplement MFA for all IAM users to enhance account security.

DRegularly update IAM user passwords to meet compliance requirements.

Question 6Medium

(Select all that apply) Which practices should be implemented to ensure least privilege access within AWS IAM to protect sensitive resources?

(Select all that apply)

ARegularly review and rotate access keys for users with programmatic access.

BGrant full administrative access to all users to simplify permissions management.

CImplement role-based access control with specific permissions for different job functions.

DUse resource-based policies to restrict actions on specific resources to certain users.

Question 7Easy

A company wants to ensure their IAM policies grant only the necessary permissions to their developers working on a new project. Which approach should they take to achieve this?

AAssign a single, broad IAM policy that covers all possible tasks the developers might need.

BProvide each developer with administrative access to ensure they can perform any required task.

CCreate specific IAM policies for each role that limit permissions to only those necessary for their tasks.

DUse a default policy template provided by AWS without customization to streamline the process.

Question 8Medium

What steps should you take to ensure IAM roles in your organization adhere to the principle of least privilege after identifying those with excessive permissions?

(Select all that apply)

AModify the policies attached to the roles to remove unnecessary permissions based on their usage logs.

BDelete the IAM roles with excessive permissions and recreate them with minimal permissions.

CImplement a monitoring solution to alert when roles exceed their intended scope of actions.

DApply a blanket policy that restricts all roles to a minimal set of permissions and manually add permissions as needed.

Question 9Medium

You are tasked with setting up an IAM role in AWS to allow cross-account access from Account A to Account B with minimal privileges. What is a crucial step to ensure that only necessary permissions are granted to this IAM role?

AAttach a policy to the IAM role that only allows specific actions needed for the tasks.

BCreate a trust policy that allows any principal from Account B to assume the role.

CUse AWS Managed Policies to grant permissions to the IAM role.

DAttach an inline policy to the IAM role that grants administrator access to Account B.

Question 10Hard

A company has an AWS IAM policy that grants permissions to several S3 buckets but includes an overly permissive statement. The policy allows 's3:*' on one of the buckets, which includes both sensitive and public data. What actions should you take to increase the security of this IAM policy? (Select all that apply)

(Select all that apply)

ARestrict the permissions to specific actions like 's3:GetObject' and 's3:PutObject'.

BImplement a condition that checks if the request comes from a specific IP range.

CEnable versioning on the S3 bucket to track changes to objects.

DCreate a separate IAM policy for sensitive data with more restrictive permissions.

Ready for More?

These 10 questions are just a preview. Create a free account to practice up to 3 topics with 50 questions per day — or upgrade to Pro for unlimited access.

Ready to Pass the DOP - AWS Certified DevOps Engineer - Professional?

Join thousands of professionals preparing for their DOP - AWS Certified DevOps Engineer - Professional certification with ProctorPulse. AI-generated questions, detailed explanations, and progress tracking.