Practice Security Questions Now

Start a timed practice session focusing on DevOps Security & Compliance topics from the DOP-C02 question bank.

DOP-C02 Security Question Bank (10 Questions)

Browse all 10 practice questions covering DevOps Security & Compliance for the DOP-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

Question 1Incident and Event Response
A company uses EventBridge to route events from multiple AWS services to different targets. A new compliance requirement says all security-related events must also be sent to a SIEM. What is the LEAST disruptive implementation?
AModify all existing EventBridge rules to add the SIEM target
BCreate an EventBridge rule that matches all security event patterns (GuardDuty, Security Hub, Inspector) and sends to Kinesis Firehose which delivers to the SIEM
CCreate a new event bus for security events
DUse CloudTrail to stream events to the SIEM
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 2Security and Compliance
A company's compliance framework requires evidence that security patches are applied to all servers within 30 days of release. What AWS service generates this compliance evidence?
ACloudTrail event history
BAWS Systems Manager Patch Manager compliance reports — generate compliance reports showing each instance's patch status, missing patches, and last patched time; export to S3 for audit evidence
CAmazon Inspector vulnerability reports
DAWS Config evaluations
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 3Incident and Event Response
A company wants to implement automated remediation for AWS Security Hub findings with severity HIGH or CRITICAL. What architecture provides automated remediation at scale?
AManually review and fix Security Hub findings
BEventBridge rule matching Security Hub findings with Severity.Normalized >= 70 (HIGH) → Lambda or Step Functions: looks up the finding type, maps to SSM Automation runbook, executes remediation; updates Security Hub finding status
CAWS Config remediates Security Hub findings
DSecurity Hub has built-in automatic remediation
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 4Configuration Management and IaC
A company has 50 AWS accounts and needs to deploy a standard CloudFormation stack (VPC, security groups, baseline IAM roles) to all accounts. What service manages this at scale?
AManually deploy to each account
BAWS CloudFormation StackSets with Organizations integration — deploy to all accounts in the organization or specific OUs from a management account
CUse AWS Service Catalog
DUse Terraform with multiple account providers
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 5Security and Compliance
A company needs to implement a 'break-glass' IAM role that grants administrator access but requires MFA and alerts the security team when used. What is the CORRECT implementation?
AShare the root user credentials for emergencies
BCreate an IAM role with AdministratorAccess and a trust policy requiring MFA (Condition: aws:MultiFactorAuthPresent = true); configure CloudTrail EventBridge rule to detect AssumeRole for this role and send SNS alert
CCreate an IAM user with admin access for emergencies
DUse AWS IAM Identity Center temporary elevated access
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 6Incident and Event Response
A company wants to automatically disable an IAM user when AWS GuardDuty detects that the user's credentials are being used from an unusual geographic location. What automated response is appropriate?
AWait for security team to investigate before taking action
BEventBridge rule matching GuardDuty finding type (UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration or similar) → Lambda function that adds a deny-all inline policy to the IAM user and sends alert to security team
CAutomatically delete the IAM user
DUse AWS Shield to block unusual geographic access
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 7Security and Compliance
A company wants to prevent any IAM user or role from circumventing account-level security controls, even if they have AdministratorAccess. What is the correct control mechanism?
AApply explicit Deny policies to every IAM user
BUse AWS Organizations Service Control Policies (SCPs) — SCPs restrict what IAM entities can do even if they have full admin permissions; they define the maximum permissions boundary for the entire account
CEnable GuardDuty to block unauthorized actions
DUse IAM permission boundaries on all roles
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 8Security and Compliance
A company's DevOps pipeline creates IAM roles as part of infrastructure deployment. The security team is concerned that pipeline-created roles could be over-permissive. What control prevents the pipeline from creating roles with excessive privileges?
AAudit all IAM roles weekly
BApply a permissions boundary policy to the pipeline's IAM role: limit the maximum permissions any role created by the pipeline can have; IAM roles created by the pipeline inherit the boundary and cannot exceed it
CUse SCP to limit IAM role creation
DRequire manual approval for all IAM changes
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 9Security and Compliance
A company's CloudFormation deployment creates IAM policies. Security team requires that all IAM policies go through a review process. What CodePipeline control enforces human review of IAM changes?
AIAM changes are automatically reviewed by AWS
BIn the pipeline, add a Manual Approval action before the CloudFormation Deploy stage; the approval request includes a link to the Change Set showing all IAM policy changes; security team reviews the change set before approving
CUse CloudFormation Guard to auto-approve IAM policies
DStore IAM policies in a separate stack
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz
Question 10Security and Compliance
A company's security team wants to perform quarterly access reviews of all IAM users and roles. They want a report showing which permissions each principal has used in the last 90 days. What provides this?
AIAM console shows all permissions
BIAM Access Analyzer access analysis and last accessed information — for each role, 'Last accessed services' shows which AWS services were actually used and when (within the last 400 days); generates per-service and per-action access reports
CCloudTrail event history for each IAM principal
DAWS Trusted Advisor for IAM access review
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start DOP-C02 Quiz

Key Security Concepts for DOP-C02

securityiamkmssecrets managerguarddutysecurity hubdevsecopscompliance

DOP-C02 Security Exam Tips

DevOps Security & Compliance questions in DOP-C02 are typically scenario-based. Focus on CI/CD automation, reliability engineering, and feedback-driven operations. Priority concepts: security, iam, kms, secrets manager, guardduty, security hub.

What DOP-C02 Expects

Anchor your answer in choose auditable, automated release and operations patterns with strong rollback readiness.
Security scenarios for DOP-C02 are frequently mapped to Domain 5 (14%), so read the objective carefully before picking controls or architecture.
Expect multi-topic scenarios where Security interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and vendor best practices.

High-Value Security Concepts

Know the core Security building blocks cold: security, iam, kms, secrets manager.
Review the edge-case features and limits for guardduty, security hub; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how Security pairs with Config, Organizations, Incident Response in real deployment patterns.
For DOP-C02, explain why the chosen Security design meets reliability, security, and cost expectations better than the alternatives.

Common DOP-C02 Traps

Watch for manual promotion and approval logic where pipeline automation is expected.
Questions in Incident & Event Response often include distractors that look correct for Security but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two Security implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Incident & Event Response (14%) outcomes for DOP-C02?
Can you explain security and access boundaries for Security without relying on default-open assumptions?
Can you describe how Security integrates with Config and Organizations during failure, scaling, and monitoring events?

Exam Domains Covering Security

Domain 5Incident & Event Response14%

Related Resources

🎯 Free DOP-C02 Mock Exam Config Questions Organizations Questions Incident Response Questions

More DOP-C02 Study Resources

← DOP-C02 Study Hub 30-Day Study Plan Full Practice Exam

🔒 DevOps Security & Compliance - DOP-C02 Practice Questions