🐳 Containers on AWS (ECS/EKS) - DOP-C02 Practice Questions

Master ECS task definitions, Fargate, EKS, ECR, service auto scaling, task placement, rolling updates, and container-based CI/CD pipelines.

44Questions Available
3Exam Domains

Practice Containers Questions Now

Start a timed practice session focusing on Containers on AWS (ECS/EKS) topics from the DOP-C02 question bank.

Start DOP-C02 Practice Quiz →

DOP-C02 Containers Question Bank (44 Questions)

Browse all 44 practice questions covering Containers on AWS (ECS/EKS) for the DOP-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1SDLC Automation

    A company wants to implement automated rollback for an ECS Fargate service when the new task definition version fails to start. Without any additional configuration, what ECS feature provides this?

    AECS health checks trigger rollback
    BECS deployment circuit breaker (with rollback enabled): automatically detects when new task revisions fail to start or reach a running state; rolls back to the last successful task definition version without manual intervention
    CCodeDeploy blue/green rollback for ECS
    DAuto Scaling health checks trigger ECS rollback

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  2. Question 2Monitoring and Logging

    A DevOps team deploys a microservices application. They need to centralize logs from ECS containers, Lambda functions, and EC2 instances into a single searchable location for troubleshooting. Which service provides this unified log aggregation?

    AAmazon CloudWatch Logs with Log Groups
    BAmazon S3 with Athena
    CAmazon OpenSearch with CloudWatch
    DAWS CloudTrail

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  3. Question 3SDLC Automation

    A company deploys a microservice using ECS with CodeDeploy. They want to run a Lambda validation function after deployment to verify the new container is healthy before completing the traffic shift. What CodeDeploy feature enables this?

    ACodeDeploy deployment hooks in the AppSpec file (AfterAllowTestTraffic hook)
    BECS task definition health checks
    CCodeDeploy rollback triggers
    DALB target group health checks

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  4. Question 4Resilient Cloud Solutions

    An application runs on ECS Fargate in a single region. An outage in the single AZ where all tasks run causes a complete service outage. What architectural improvement provides resilience?

    ADeploy more tasks in the same AZ
    BConfigure the ECS service with multiple AZs in the subnet configuration; use ALB with cross-zone load balancing; set minimum healthy percentage to ensure tasks run in multiple AZs
    CAdd a NAT gateway for redundancy
    DEnable ECS Fargate spot for redundancy

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  5. Question 5Monitoring and Logging

    A company wants to monitor their ECS Fargate tasks' memory and CPU utilization at the container level (not task level). What should be enabled?

    AECS task definition memory limits
    BEnable CloudWatch Container Insights on the ECS cluster; it publishes container-level metrics including MemoryUtilized, CPUUtilized per container name
    CUse CloudWatch agent in sidecar containers
    DECS Fargate does not support container-level metrics

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  6. Question 6Security and Compliance

    A company needs to ensure their containerized applications in ECS are scanned for OS and package vulnerabilities continuously (not just at build time). What service provides runtime continuous scanning?

    AECR image scanning on push
    BAmazon Inspector with ECS integration — continuously scans running ECS containers for OS and application package vulnerabilities, updating findings as new CVEs are published
    CAWS Security Hub aggregates vulnerability findings
    DGuardDuty Runtime Monitoring for container threats

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  7. Question 7Resilient Cloud Solutions

    A company wants to implement automated scaling for their ECS Fargate service based on SQS queue depth. When queue depth exceeds 1000 messages, new tasks should be launched to process them. What Application Auto Scaling configuration implements this?

    AECS service auto scaling with CPU-based target tracking
    BCreate an Application Auto Scaling policy with a custom metric (SQS ApproximateNumberOfMessagesVisible); use target tracking targeting 1000 messages per task; scale in/out based on queue depth
    CUse SQS long polling to reduce queue depth
    DLambda is better suited for SQS processing than ECS

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  8. Question 8SDLC Automation

    A company wants to ensure that changes to a production ECS service configuration (task definition, desired count) can only be made through CodePipeline. Direct console or CLI modifications should be prevented. What control implements this?

    AEnable CloudTrail and review changes manually
    BIAM policy: deny ecs:UpdateService, ecs:RegisterTaskDefinition for all IAM principals except the CodePipeline execution role; allow those actions only for the pipeline role
    CECS service protection prevents all changes
    DUse Service Catalog for all ECS deployments

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  9. Question 9Monitoring and Logging

    A company runs ECS tasks in Fargate. They want to capture all network traffic metadata (connection source/destination, bytes) for security monitoring without modifying the application. What service provides this?

    AECS Fargate does not support network monitoring
    BEnable VPC Flow Logs for the VPC or subnet containing Fargate tasks; Flow Logs capture ENI-level traffic metadata (source IP/port, destination IP/port, bytes, accept/reject) for all Fargate task network interfaces
    CUse CloudWatch agent for network metrics
    DGuardDuty ECS runtime monitoring

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  10. Question 10Configuration Management and IaC

    A company wants to implement configuration management for their containerized applications using a GitOps approach with Kubernetes on EKS. Application deployments should be declarative and auditable. What is the RECOMMENDED tool?

    AUse CodeDeploy for Kubernetes deployments
    BFlux CD or ArgoCD — both implement Kubernetes GitOps; they continuously reconcile cluster state with Git; all changes are via Git commits (auditable); non-Git changes are automatically corrected (drift prevention)
    CUse Helm with CodePipeline for deployments
    DUse kubectl in CodeBuild for deployments

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  11. Question 11Resilient Cloud Solutions

    A company's ECS Fargate tasks are experiencing container CPU throttling causing high latency. Application performance is inconsistent. What configuration change resolves CPU throttling?

    AIncrease the number of tasks
    BIncrease the task CPU setting in the ECS task definition; or switch to a task size with more vCPU; CPU throttling occurs when tasks exceed their allocated CPU share — increasing allocation resolves consistent throttling
    CUse EC2 launch type instead of Fargate
    DEnable Fargate spot to get more CPU

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  12. Question 12Incident and Event Response

    A company's production ECS service has a memory leak. Containers eventually run out of memory and crash. They want automated detection and restart when memory exceeds 90% of the container limit. What implements this?

    AECS automatically restarts OOM containers
    BCloudWatch Container Insights alarm on ECS container MemoryUtilized/MemoryReserved > 90%; alarm action triggers Lambda that calls ecs:StopTask for the specific task; ECS service restart policy launches a replacement task
    CUse ECS task definition memory hard limit — container is killed at the limit
    DUse OOM killer configuration

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  13. Question 13Security and Compliance

    A company's DevOps team deploys Kubernetes resources to EKS using Helm charts. They want to enforce that all Helm deployments follow security policies (no privileged containers, resource limits required). What Kubernetes admission control mechanism enforces this?

    AHelm chart linting enforces security policies
    BOPA Gatekeeper or Kyverno with constraint templates that define security policies; policies are evaluated by the Kubernetes admission webhook on every resource creation/update; Helm deployments triggering policy violations are rejected
    CEKS service accounts enforce security policies
    DAWS Config rules for Kubernetes security

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  14. Question 14SDLC Automation

    A company has a CodePipeline that builds a Docker image and pushes to ECR, then deploys to ECS. They want to ensure only images with no CRITICAL vulnerabilities are deployed. How should this be enforced?

    AAdd a manual approval action where security engineers approve each image
    BAdd a CodeBuild action after the ECR push that uses the ECR DescribeImageScanFindings API to check for CRITICAL findings; fail the pipeline if any are found
    CEnable ECR image scanning and it will automatically block deployments
    DUse Amazon Inspector to block non-compliant images

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  15. Question 15Security and Compliance

    A company wants to verify that their containerized application's runtime behavior matches expected behavior (no unexpected network connections, no unauthorized process spawning). What AWS service monitors container runtime behavior?

    AECR image scanning
    BAmazon GuardDuty Runtime Monitoring for ECS/EKS — uses the GuardDuty security agent to monitor runtime behavior (processes, network connections, file system access) and generates findings for suspicious activities
    CAmazon Inspector for runtime scanning
    DCloudWatch Container Insights

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  16. Question 16Resilient Cloud Solutions

    An application deployed on ECS Fargate experiences intermittent task failures. The team wants failed tasks to automatically restart with exponential backoff before alerting the ops team. Which ECS feature provides this?

    AECS Service Circuit Breaker
    BCloudWatch Container Insights
    CECS Task Placement Constraints
    DECS Service Auto Scaling

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  17. Question 17SDLC Automation

    A company wants to implement GitOps for their EKS workloads. All Kubernetes deployments should automatically sync from the main branch of a Git repository. What is the RECOMMENDED approach?

    AUse CodePipeline with kubectl apply in CodeBuild
    BDeploy Flux or ArgoCD in the EKS cluster; it continuously reconciles the cluster state with the Git repository, automatically applying changes on commit
    CUse CloudFormation to manage all EKS workloads
    DUse AWS CodeDeploy for Kubernetes deployments

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  18. Question 18SDLC Automation

    A company wants to implement semantic versioning for their container images stored in ECR. Each image must be tagged with the Git commit SHA and version number. How should this be implemented in CodeBuild?

    AManually tag images after each build
    BIn CodeBuild buildspec.yml, use environment variables CODEBUILD_RESOLVED_SOURCE_VERSION (commit SHA) and a version file in the repo to tag images with both values before pushing to ECR
    CECR automatically assigns semantic versions
    DUse CodePipeline to tag images after deployment

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  19. Question 19Resilient Cloud Solutions

    A company wants to protect their ECS production service from being accidentally deleted via CloudFormation or the console. What protection should be enabled?

    AEnable ECS service deletion protection via IAM policies
    BEnable ECS service delete protection (enableECSManagedTags: true) and set deletionProtection on the CloudFormation stack; use SCPs to prevent ECS service deletion in production
    CUse DeletionPolicy: Retain in CloudFormation for the ECS service
    DRequire MFA for all ECS DeleteService API calls

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  20. Question 20Security and Compliance

    A DevOps team needs to ensure that all Docker images deployed to production are signed and verified. Only images from the company's ECR repository should be deployable. What combination provides image provenance verification?

    AUse ECR lifecycle policies
    BEnable AWS Signer for container images (ECR image signing); use a policy to deny running unsigned images; configure OPA/admission controllers in EKS to validate image signatures before deployment
    CUse ECR immutable tags to prevent image replacement
    DScan all images with Amazon Inspector

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  21. Question 21Security and Compliance

    A company wants to ensure all traffic between services in their ECS cluster is encrypted in transit using mutual TLS (mTLS). What is the CORRECT implementation?

    AEnable ALB HTTPS listeners
    BImplement AWS App Mesh with TLS termination configured on virtual nodes; each service has a certificate from AWS Private CA injected via the Envoy proxy sidecar
    CUse VPC peering encryption
    DConfigure security groups to allow only HTTPS traffic

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  22. Question 22Security and Compliance

    A DevOps team wants to enforce that all ECS task definitions define resource limits (CPU and memory). Non-compliant task definitions should be blocked from deployment. What is the CORRECT preventive control?

    ATraining developers on ECS best practices
    BImplement a CloudFormation Guard rule or custom Config rule checking that ECS task definitions have cpu and memory fields set; add the check to the CI/CD pipeline as a blocking gate
    CAWS Config managed rule for ECS task definitions
    DUse ECS Service Connect for resource management

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  23. Question 23SDLC Automation

    A company wants to automatically promote Docker images from dev to staging to prod ECR repositories as they pass each environment's tests. What naming convention and pipeline design supports this?

    AUse the same image tag in all environments
    BBuild → Tag image with commit SHA → push to dev-ecr; dev tests pass → tag same SHA image as 'staging' and push to staging-ecr; staging tests pass → tag as 'prod' and push to prod-ecr; promotion is re-tagging not rebuilding
    CRebuild the Docker image for each environment
    DUse ECR replication between repositories

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  24. Question 24Resilient Cloud Solutions

    A company uses ECS with a rolling update deployment. New tasks fail to start due to a code bug. The failed tasks prevent healthy tasks from being removed. The service becomes unstable. What ECS feature prevents this?

    AECS service auto scaling reverting to the previous task definition
    BEnable ECS deployment circuit breaker with rollback: when a configurable number of tasks fail to reach RUNNING state, the circuit breaker automatically rolls back to the previous stable task definition
    CSet minimum healthy percent to 100% in the deployment config
    DUse CloudWatch alarms to detect deployment failures

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  25. Question 25Resilient Cloud Solutions

    An application on ECS Fargate must process messages from an SQS queue. If a Fargate task fails mid-processing, the message should not be lost. What configuration prevents message loss?

    ASet the SQS queue visibility timeout to 1 second
    BSet the SQS visibility timeout to greater than the maximum task processing time; if the task fails, the visibility timeout expires, making the message visible again for reprocessing; configure SQS DLQ after max retries
    CUse FIFO SQS queues
    DUse Lambda for SQS processing instead of ECS

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  26. Question 26Resilient Cloud Solutions

    A company's ECS service needs to handle sudden traffic spikes within seconds. Standard Auto Scaling takes 2-3 minutes to launch new tasks. What configuration pre-warms capacity?

    AIncrease ECS task CPU and memory limits
    BUse scheduled Auto Scaling: pre-scale the ECS service 5 minutes before expected traffic spikes (e.g., marketing email sends) using Application Auto Scaling scheduled actions
    CUse Fargate Spot for additional capacity
    DECS Burst Scaling mode handles sudden traffic spikes

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  27. Question 27Monitoring and Logging

    A company wants to correlate ECS application logs with ALB access logs and CloudTrail API logs to investigate security incidents. What service provides unified log querying?

    ACloudWatch Logs Insights (only for CloudWatch Logs)
    BAmazon Athena — query CloudTrail logs, ALB access logs, and other logs stored in S3 using SQL; create correlation queries across different log sources in a single query
    CAmazon Detective for security investigation
    DCloudWatch Contributor Insights

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  28. Question 28Security and Compliance

    A company's security team requires that all data in transit between ECS services is encrypted. Currently services communicate via internal ALB. What ensures encryption?

    ASecurity groups prevent unauthorized access without encryption
    BConfigure the internal ALB listener to use HTTPS with ACM certificates; configure target group to use HTTPS port 443; services communicate using TLS for end-to-end encryption
    CData within a VPC is automatically encrypted by AWS
    DUse VPC encryption to encrypt all VPC traffic

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  29. Question 29Security and Compliance

    A company wants to use IAM roles for service-to-service authentication between ECS tasks. Task A should be able to call Task B's API without using access keys. What mechanism enables this?

    AHardcode access keys in Task A's environment variables
    BECS task roles provide temporary credentials to ECS tasks via the task metadata endpoint; Task A's task role includes the API permissions needed to call Task B's endpoint (API Gateway + IAM authorization)
    CUse ECS Service Connect for authentication
    DUse VPC security groups for service authentication

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  30. Question 30SDLC Automation

    A company's ECS service uses CodeDeploy for blue/green deployments. After a blue/green deployment, both the original (blue) and replacement (green) task sets exist for 1 hour. What CodeDeploy configuration setting controls this?

    ADeploymentGroupId timeout
    BBlueGreenDeploymentConfiguration.deploymentReadyOption specifies the wait time before traffic shift; terminationHookEnabled or terminateBlueInstancesOnDeploymentSuccess with terminationWaitTimeInMinutes controls retention of original task set
    CECS task set TTL configuration
    DALB target deregistration delay

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  31. Question 31SDLC Automation

    A company's pipeline builds a container image and pushes to ECR. They want to enforce semantic versioning: images should be tagged as major.minor.patch from the VERSION file in the repository. How should the buildspec implement this?

    AUse the CodeBuild build number as the version
    BRead VERSION file (cat VERSION), extract the version string; use docker tag and push to ECR with both the semantic version tag and 'latest'; export the version as a CodeBuild output artifact for downstream stages
    CUse ECR automatic versioning
    DUse Git tags as the image version

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  32. Question 32Configuration Management and IaC

    A DevOps team uses CDK with TypeScript. They want to share CDK constructs (e.g., a standard ECS service construct) across 10 teams. What is the recommended distribution mechanism?

    ACopy and paste the construct code into each team's repository
    BPublish the CDK constructs as an npm package to AWS CodeArtifact; teams install the package as a dependency and import the shared constructs; versioning follows semantic versioning
    CUse CloudFormation modules instead of CDK constructs
    DShare via a Git submodule

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  33. Question 33Resilient Cloud Solutions

    A company's application needs to withstand the failure of one entire AWS Availability Zone. Their ECS service uses a single subnet in one AZ. What is required to ensure multi-AZ resilience?

    AEnable ECS cluster Multi-AZ mode
    BConfigure the ECS service with subnets in at least 2 AZs; increase desiredCount so tasks can run in both AZs; ALB with cross-zone load balancing distributes traffic; minimum healthy percent ensures tasks run in surviving AZs during AZ failure
    CUse Fargate Spot for automatic AZ distribution
    DECS services automatically distribute across AZs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  34. Question 34Resilient Cloud Solutions

    A company uses EKS with a single node group in one region. They want to implement cluster autoscaling that supports both scale-up and scale-down of Kubernetes nodes. What component provides this?

    AKubernetes built-in autoscaler
    BAWS Cluster Autoscaler running as a pod in EKS — watches for pending pods with unschedulable status and scales up the ASG; removes underutilized nodes during scale-down; Karpenter is the newer alternative
    CEKS managed node groups automatically scale
    DLambda functions triggered by EKS metrics

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  35. Question 35Monitoring and Logging

    A company wants to automatically create a daily report of all 'ERROR' and 'CRITICAL' logs from all their ECS services and email it to the engineering manager. What is the automated architecture?

    ADownload logs daily and grep manually
    BEventBridge Scheduler (daily at 6AM) → Lambda; Lambda runs CloudWatch Logs Insights query on all ECS log groups filtering level=ERROR or CRITICAL from the last 24 hours; formats results as HTML table; sends via SES
    CCloudWatch Logs Insights subscriptions
    DExport logs to S3 and use S3 Select

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  36. Question 36Incident and Event Response

    A company wants to automatically scale their ECS service up when a CloudWatch alarm triggers (indicating high load) and scale down when the alarm clears. What type of Auto Scaling policy implements alarm-based scaling?

    ATarget tracking scaling
    BStep scaling policy — defines scaling adjustments triggered by CloudWatch alarms; alarm breach triggers scaling steps; alarm clearing with different thresholds triggers scale-in steps
    CScheduled scaling
    DPredictive scaling

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  37. Question 37Security and Compliance

    A company runs an EKS cluster. They want to ensure that no pods run as root. What Kubernetes security mechanism enforces this at the cluster level?

    AEC2 security groups
    BKubernetes Pod Security Standards (Restricted profile) enforced via Pod Security Admission controller; or OPA Gatekeeper constraint templates denying pods with runAsNonRoot: false or missing security context
    CEKS node group IAM roles
    DAmazon Inspector EKS scanning

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  38. Question 38Security and Compliance

    A company uses Amazon ECR for Docker images. They want to automatically delete images older than 90 days to reduce storage costs and ensure stale images aren't deployed. What configuration implements this?

    AManually audit and delete images monthly
    BConfigure ECR lifecycle policies on the repository: define a rule with a filter (tag status, tag prefix) and an action to expire images older than 90 days; ECR evaluates and applies the policy automatically
    CUse S3 lifecycle policies for ECR storage
    DEnable ECR image scanning to delete old images

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  39. Question 39SDLC Automation

    A company wants to implement a release train model where all microservices are deployed together at the same time, every two weeks. Individual services should be testable independently. What pipeline design supports this?

    AOne pipeline for all services that runs everything together
    BIndividual CI pipelines per service (build, test, push artifact on every commit); a separate 'release train' pipeline runs every two weeks: pulls latest approved artifact from each service and deploys all together
    CDeploy each service on a different day
    DUse CodeDeploy deployment groups for release train

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  40. Question 40Resilient Cloud Solutions

    A company's ECS service has a minimum healthy percent of 100% and maximum percent of 200%. During a rolling deployment, the deployment takes very long. Why?

    AECS rolling deployments are always slow
    BWith 100% minimum healthy, ECS must launch new tasks and wait for them to be healthy before stopping old tasks (double capacity). If capacity is constrained (Fargate limits or EC2 resource exhaustion), task launches are queued, causing slow rollouts
    CThe container image is too large
    DThe health check period is too long

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  41. Question 41Resilient Cloud Solutions

    A company's production application requires 99.99% availability. They have a single ECS service in one region. What changes achieve the availability target?

    AIncrease ECS task count to 10
    BMulti-AZ within the region (3 AZs, distributed ECS tasks, Multi-AZ ALB and RDS) AND multi-region active-passive with Route 53 failover; 99.99% (< 52 minutes downtime/year) requires both intra-region and cross-region resilience
    CUse Fargate instead of EC2 for ECS
    D99.99% availability cannot be achieved on AWS

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  42. Question 42Security and Compliance

    A company wants to ensure their CodeBuild projects cannot access the internet but can still access AWS services (S3, ECR, Secrets Manager). What is the CORRECT network configuration?

    AUse a public subnet for CodeBuild without internet access
    BRun CodeBuild in a private VPC subnet with no internet gateway or NAT Gateway; create VPC Interface Endpoints for all needed AWS services (S3 Gateway Endpoint, ECR Interface Endpoint, Secrets Manager Interface Endpoint)
    CBlock all outbound traffic with security groups
    DUse CodeBuild with VPC but enable NAT Gateway

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  43. Question 43Security and Compliance

    A company wants to implement centralized secret management for all microservices. Secrets should automatically rotate, be versioned, and audited. Services should retrieve secrets at runtime. What AWS service provides all these capabilities?

    ASSM Parameter Store with manual rotation
    BAWS Secrets Manager — provides automatic rotation (Lambda functions), versioning (AWSPENDING, AWSCURRENT, AWSPREVIOUS stages), access logging (CloudTrail), resource policies, and SDK integration for runtime secret retrieval
    CKMS-encrypted S3 objects for secrets
    DVault (HashiCorp) is required for all these features

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz
  44. Question 44Security and Compliance

    A company's security policy requires that all ECS task definitions be reviewed and approved before they can be used in production. Non-approved task definitions should be blocked. What is the CORRECT implementation?

    ATrust developers to follow the review process
    BImplement an IAM policy denying ecs:RunTask and ecs:CreateService for task definitions not tagged as approved=true; the review pipeline tags the task definition after approval — only approved task definitions can run in production
    CUse CloudFormation for all ECS task definitions
    DUse SCP to prevent ECS task definition creation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DOP-C02 Quiz

Key Containers Concepts for DOP-C02

ecseksecrfargatecontainerdockertask definitionservicekubernetes

DOP-C02 Containers Exam Tips

Containers on AWS (ECS/EKS) questions in DOP-C02 are typically scenario-based. Focus on CI/CD automation, reliability engineering, and feedback-driven operations. Priority concepts: ecs, eks, ecr, fargate, container, docker.

What DOP-C02 Expects

  • Anchor your answer in choose auditable, automated release and operations patterns with strong rollback readiness.
  • Containers scenarios for DOP-C02 are frequently mapped to Domain 1 (22%), Domain 2 (17%), Domain 4 (15%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Containers interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and vendor best practices.

High-Value Containers Concepts

  • Know the core Containers building blocks cold: ecs, eks, ecr, fargate.
  • Review the edge-case features and limits for container, docker; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Containers pairs with Deployment Strategies, CI/CD Pipelines, Auto Scaling in real deployment patterns.
  • For DOP-C02, explain why the chosen Containers design meets reliability, security, and cost expectations better than the alternatives.

Common DOP-C02 Traps

  • Watch for manual promotion and approval logic where pipeline automation is expected.
  • Questions in SDLC Automation often include distractors that look correct for Containers but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Containers implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to SDLC Automation (22%) outcomes for DOP-C02?
  • Can you explain security and access boundaries for Containers without relying on default-open assumptions?
  • Can you describe how Containers integrates with Deployment Strategies and CI/CD Pipelines during failure, scaling, and monitoring events?

Exam Domains Covering Containers

Domain 1SDLC Automation22%Domain 2Configuration Management & IaC17%Domain 4Monitoring & Logging15%

Related Resources

🎯 Free DOP-C02 Mock Exam Deployment Strategies Questions CI/CD Pipelines Questions Auto Scaling Questions

More DOP-C02 Study Resources

← DOP-C02 Study Hub30-Day Study PlanFull Practice Exam