📋 AWS Config - DOP-C02 Practice Questions

Study Config rules, conformance packs, remediation actions, multi-account aggregators, resource inventory, and compliance reporting.

11Questions Available
2Exam Domains

Practice Config Questions Now

Start a timed practice session focusing on AWS Config topics from the DOP-C02 question bank.

Start DOP-C02 Practice Quiz →

DOP-C02 Config Question Bank (11 Questions)

Browse all 11 practice questions covering AWS Config for the DOP-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Configuration Management and IaC

    A company wants to implement automated compliance remediation for AWS Config rules across 50 accounts. Non-compliant resources should be automatically fixed. What is the scalable approach?

    AManually fix non-compliant resources in each account
    BAWS Config organization conformance packs: define Config rules with remediation actions (SSM Automation runbooks) centrally; deploy to all accounts via Organizations; automatic remediation runs in each account when violations are detected
    CUse Lambda in the master account to remediate across all accounts
    DUse CloudFormation StackSets for remediation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  2. Question 2Security and Compliance

    A company uses AWS Config to enforce compliance. They want a compliance score showing the percentage of compliant resources across all Config rules. What Config feature provides this?

    AManually calculate compliance from Config findings
    BAWS Config conformance pack compliance score — a conformance pack contains multiple Config rules; the pack shows an aggregate compliance score as a percentage of compliant rules; Security Hub also provides an aggregate security score
    CAWS Trusted Advisor compliance score
    DCloudWatch custom metric for compliance

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  3. Question 3Incident and Event Response

    A company's auto-remediation system terminated a critical EC2 instance mistakenly identified as non-compliant by AWS Config. How can the team prevent critical instances from future accidental auto-remediation?

    ADisable AWS Config for that instance
    BTag critical instances and add a condition to the remediation Lambda to skip tagged instances
    CUse Termination Protection on all instances
    DRemove the EC2 instance from the Config rule scope

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  4. Question 4Configuration Management and IaC

    A company needs to automatically remediate non-compliant EC2 instances when the AWS Config rule 'ec2-instance-no-public-ip' triggers. What is the CORRECT remediation setup?

    AManually review Config findings and fix manually
    BConfigure an AWS Config remediation action using an SSM Automation runbook (AWSConfigRemediation-ReleaseElasticIP or custom runbook) that removes the public IP from non-compliant instances
    CUse Lambda to poll Config findings and remediate
    DSet up CloudWatch alarms on Config findings

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  5. Question 5Security and Compliance

    A company stores sensitive configuration values in AWS Systems Manager Parameter Store. They need to ensure that values are encrypted and that access is logged for compliance. What is the CORRECT configuration?

    AUse standard String parameters with encryption
    BUse SecureString parameter type with a customer-managed KMS key; CloudTrail automatically logs all GetParameter API calls including the caller identity
    CUse Secrets Manager instead for all sensitive values
    DEnable CloudWatch Logs on Parameter Store

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  6. Question 6Security and Compliance

    A company's security policy requires that all EC2 instances have the Systems Manager agent installed and that no instance should be accessible via SSH with a public IP. What AWS Config rules enforce this?

    ACreate custom Config rules for each requirement
    BUse managed Config rules: ec2-instance-managed-by-ssm (checks SSM management) and ec2-instances-in-vpc with no-public-ip conditions; configure auto-remediation for violations
    CUse AWS Inspector for compliance checking
    DUse CloudTrail to detect non-compliant instances

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  7. Question 7Security and Compliance

    A company's compliance requirement mandates that CloudTrail logs cannot be deleted or modified by anyone, including administrators. What CloudTrail configuration enforces immutability?

    AEnable CloudTrail log file validation
    BStore CloudTrail logs in an S3 bucket with Object Lock (Compliance mode) in a dedicated audit account; the CloudTrail S3 bucket policy denies all DeleteObject actions including from the account root
    CEnable MFA delete on the S3 bucket
    DEncrypt CloudTrail logs with KMS

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  8. Question 8Configuration Management and IaC

    A company's AWS Config has 500 managed rules across all accounts. They notice false positives for a specific rule where a specific S3 bucket used for compliance archiving is flagged as 'public' (intentionally public). What resolves this without disabling the rule?

    ADisable the rule for the entire organization
    BAdd an AWS Config rule exception for the specific bucket resource — use the resource exemption feature to mark the resource as compliant with a justification
    CCreate a custom Config rule that excludes this bucket
    DUse AWS Security Hub to suppress the finding

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  9. Question 9Incident and Event Response

    A company wants to ensure that all AWS services used in their environment meet specific compliance requirements. Non-compliant resource configurations should generate tickets in ServiceNow automatically. What is the architecture?

    AManually review AWS Config compliance weekly
    BAWS Config rules detect non-compliant resources → EventBridge rule matches Config compliance change events (compliant to non-compliant transition) → Lambda function calls ServiceNow API to create tickets with resource details
    CUse Security Hub to create ServiceNow tickets
    DUse CloudTrail to detect compliance violations

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  10. Question 10Configuration Management and IaC

    A company wants to deploy the same set of Config rules to all current and future AWS accounts in their organization. New accounts should automatically receive the rules. What is the CORRECT approach?

    AManually deploy Config rules to each account
    BCreate an AWS Config organization conformance pack in the management account; it automatically deploys to all member accounts and any new accounts joining the organization
    CUse CloudFormation StackSets to deploy Config rules
    DUse AWS Control Tower to manage Config rules

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  11. Question 11Security and Compliance

    A company uses AWS Config to assess compliance. A Config rule shows 'NON_COMPLIANT' for an EC2 instance that was intentionally configured differently for a special use case. How should this exception be handled?

    ADisable the Config rule for all resources
    BUse AWS Config rule scope exception (resource exclusion): add the specific EC2 instance's resource ID to the rule's exclude resources list; the rule does not evaluate that resource; or use Security Hub finding suppression
    CModify the Config rule to allow the exception
    DArchive the non-compliant finding

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz

Key Config Concepts for DOP-C02

configconfig rulesconformance packremediationaggregatorcomplianceresource inventory

DOP-C02 Config Exam Tips

AWS Config questions in DOP-C02 are typically scenario-based. Focus on CI/CD automation, reliability engineering, and feedback-driven operations. Priority concepts: config, config rules, conformance pack, remediation, aggregator, compliance.

What DOP-C02 Expects

  • Anchor your answer in choose auditable, automated release and operations patterns with strong rollback readiness.
  • Config scenarios for DOP-C02 are frequently mapped to Domain 3 (15%), Domain 5 (14%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Config interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and vendor best practices.

High-Value Config Concepts

  • Know the core Config building blocks cold: config, config rules, conformance pack, remediation.
  • Review the edge-case features and limits for aggregator, compliance; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Config pairs with Systems Manager, Organizations, Security in real deployment patterns.
  • For DOP-C02, explain why the chosen Config design meets reliability, security, and cost expectations better than the alternatives.

Common DOP-C02 Traps

  • Watch for manual promotion and approval logic where pipeline automation is expected.
  • Questions in Resilient Cloud Solutions often include distractors that look correct for Config but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Config implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Resilient Cloud Solutions (15%) outcomes for DOP-C02?
  • Can you explain security and access boundaries for Config without relying on default-open assumptions?
  • Can you describe how Config integrates with Systems Manager and Organizations during failure, scaling, and monitoring events?

Exam Domains Covering Config

Domain 3Resilient Cloud Solutions15%Domain 5Incident & Event Response14%

Related Resources

🎯 Free DOP-C02 Mock Exam Systems Manager Questions Organizations Questions Security Questions

More DOP-C02 Study Resources

← DOP-C02 Study Hub30-Day Study PlanFull Practice Exam