DOP-C02 AWS Certified DevOps Engineer - Professional Question and Answers

Create an SQS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.

Amazon EventBridge can directly consume AWS Health events as an event source. You can specify event types such as “AWS_EC2_INSTANCE_RETIREMENT_SCHEDULED” or “AWS_EC2_INSTANCE_TERMINATION_SCHEDULED.” The rule’s target should invoke the Systems Manager Automation document (runbook) AWS-RestartEC2Instance to automate the restart within a defined maintenance window. This event-driven automation pattern is described in AWS documentation: “Automating AWS Health event remediation using EventBridge and Systems Manager.”

Creating an AWS CodeCommit repository for each project, using the main branch for production code, and creating a testing branch for code deployed to testing will meet the requirements. AWS CodeCommit is a managed revision control service that hosts Git repositories and works with all Git-based tools1. By using feature branches to develop new features and pull requests to merge code to testing and main branches, the developers can avoid code conflicts and lost work, and also implement code reviews and approvals. Option B is incorrect because creating another S3 bucket for each project for testing code and using an AWS Lambda function to promote code changes between testing and production buckets will not provide the benefits of revision control, such as tracking changes, branching, merging, and collaborating. Option C is incorrect because using the main branch for production and test code with different deployment pipelines for each environment will not allow the developers to test their code changes before deploying them to production. Option D is incorrect because enabling versioning and branching on each S3 bucket will not work with Git-based tools and will not provide the same level of revision control as AWS CodeCommit. References:

AWS CodeCommit

Certified DevOps Engineer - Professional (DOP-C02) Study Guide (page 182)

To implement failover for the application to the secondary Region so that HTTP GET requests meet the desired RTO, the DevOps engineer should use the following solution:

Create a new origin on the distribution for the secondary ALB. A CloudFront origin is the source of the content that CloudFront delivers to viewers. By creating a new origin for the secondary ALB, the DevOps engineer can configure CloudFront to route traffic to the secondary Region when the primary Region is unavailable1

Create a new origin group. Set the original ALB as the primary origin. Configure the origin group to fail over for HTTP 5xx status codes. An origin group is a logical grouping of two origins: a primary origin and a secondary origin. By creating an origin group, the DevOps engineer can specify which origin CloudFront should use as a fallback when the primary origin fails. The DevOps engineer can also define which HTTP status codes should trigger a failover from the primary origin to the secondary origin. By setting the original ALB as the primary origin and configuring the origin group to fail over for HTTP 5xx status codes, the DevOps engineer can ensure that CloudFront will switch to the secondary ALB when the primary ALB returns server errors2

Update the default behavior to use the origin group. A behavior is a set of rules that CloudFront applies when it receives requests for specific URLs or file types. The default behavior applies to all requests that do not match any other behaviors. By updating the default behavior to use the origin group, the DevOps engineer can enable failover routing for all requests that are sent to the distribution3

This solution will meet the requirements because it will automate the failover of the application to the secondary Region with zero-second RTO. When CloudFront receives an HTTP GET request, it will first try to route it to the primary ALB in the primary Region. If the primary ALB is healthy and returns a successful response, CloudFront will deliver it to the viewer. If the primary ALB is unhealthy or returns an HTTP 5xx status code, CloudFront will automatically route the request to the secondary ALB in the secondary Region and deliver its response to the viewer.

The other options are not correct because they either do not provide zero-second RTO or do not work as expected. Creating a second CloudFront distribution that has the secondary ALB as the default origin and creating Amazon Route 53 alias records that have a failover policy is not a good option because it will introduce additional latency and complexity to the solution. Route 53 health checks and DNS propagation can take several minutes or longer, which means that viewers might experience delays or errors when accessing the application during a failover event. Creating Amazon Route 53 alias records that have a failover policy and Evaluate Target Health set to Yes for both ALBs and setting the TTL of both records to O is not a valid option because it will not work with CloudFront distributions. Route 53 does not support health checks for alias records that point to CloudFront distributions, so it cannot detect if an ALB behind a distribution is healthy or not. Creating a CloudFront function that detects HTTP 5xx status codes and returns a 307 Temporary Redirect error response to the secondary ALB is not a valid option because it will not provide zero-second RTO. A 307 Temporary Redirect error response tells viewers to retry their requests with a different URL, which means that viewers will have to make an additional request and wait for another response from CloudFront before reaching the secondary ALB.

1: Adding, Editing, and Deleting Origins - Amazon CloudFront

2: Configuring Origin Failover - Amazon CloudFront

3: Creating or Updating a Cache Behavior - Amazon CloudFront

Container restart failures require detailed observability into pod-level, node-level, and container-level metrics and logs. CloudWatch Container Insights is purpose-built for Kubernetes operational diagnostics and provides granular visibility into CPU, memory, network I/O, disk I/O, container restarts, OOM kills, throttling, pod lifecycle issues, and Kubernetes control plane behaviors.

The CloudWatch Observability add-on deploys Fluent Bit and the CloudWatch Agent directly into the EKS cluster as DaemonSets. These components automatically collect:

Container logs

Pod metrics

Node metrics

Cluster events

OOM errors

CrashLoopBackOff restart cycles

Control plane request anomalies

With this data, the DevOps engineer can easily identify misconfigurations, resource bottlenecks, unhealthy nodes, failing containers, or image pull issues.

Option A (dashboards only) lacks per-container diagnostic data.

Option B (CloudTrail) only logs API calls — not useful for restart debugging.

Option C (CloudTrail Insights) only detects anomalous API usage, not container failures.

Therefore, CloudWatch Container Insights is the correct and AWS-recommended solution for diagnosing container restart failures in EKS.

ï‚· Create an AWS Identity and Access Management Roles Anywhere trust anchor Create an IAM role that allows CodeArtifact actions and that has a trust relationship on the trust anchor. Update the on-premises CI/CD pipeline to assume the new IAM role and to publish the packages to CodeArtifact:

Roles Anywhere allows on-premises servers to assume IAM roles, making it easier to integrate on-premises environments with AWS services.

Steps:

Create a trust anchor in IAM.

Create an IAM role with permissions for CodeArtifact actions (e.g., publishing packages).

Update the CI/CD pipeline to assume this role using the trust anchor.

ï‚· Create a new Amazon S3 bucket. Generate a presigned URL that allows the PutObject request. Update the on-premises CI/CD pipeline to use the presigned URL to publish the packages from the on-premises location to the S3 bucket. Create an AWS Lambda function that runs when packages are created in the bucket through a put command Configure the Lambda function to publish the packages to CodeArtifact:

Using an S3 bucket as an intermediary, you can easily upload packages from on-premises systems.

Steps:

Create an S3 bucket.

Generate presigned URLs to allow the CI/CD pipeline to upload packages.

Configure an AWS Lambda function to trigger on S3 PUT events and publish the packages to CodeArtifact.

Apply SCPs for Region and service restriction. Use CloudFormation StackSets to consistently deploy IAM roles with trust policies for SSO/AD integration. This model enforces governance uniformly across all accounts per AWS multi-account best practices.

ï‚· Create an Amazon EventBridge Rule Using an AWS CloudTrail Event Pattern:

AWS CloudTrail logs API calls made in your account, including actions performed by roles.

Create an EventBridge rule that matches CloudTrail events where the AssumeRole API call is made to assume the administrator role.

ï‚· Invoke an AWS Lambda Function:

Configure the EventBridge rule to trigger a Lambda function whenever the rule ' s conditions are met.

The Lambda function will handle the logic to send a notification.

ï‚· Publish a Message to an Amazon SNS Topic:

The Lambda function will publish a message to an SNS topic to notify the security team.

Subscribe the security team’s email address to this SNS topic to receive real-time notifications.

Example EventBridge rule pattern:

{

" source " : [ " aws.cloudtrail " ],

" detail-type " : [ " AWS API Call via CloudTrail " ],

" detail " : {

" eventSource " : [ " sts.amazonaws.com " ],

" eventName " : [ " AssumeRole " ],

" requestParameters " : {

" roleArn " : [ " arn:aws:iam:: < account-id > :role/AdministratorRole " ]

}

}

}

Example Lambda function (Node.js) to publish to SNS:

const AWS = require( ' aws-sdk ' );

const sns = new AWS.SNS();

exports.handler = async (event) = > {

const params = {

Message: `Administrator role assumed: ${JSON.stringify(event.detail)}`,

TopicArn: ' arn:aws:sns: < region > : < account-id > : < sns-topic > '

};

await sns.publish(params).promise();

};

The correct answer is D. Creating an AWS Config conformance pack that contains the AWS Config rules and remediation actions and deploying it from the delegated administrator account by using AWS Config will meet the requirements. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a region or across an organization in AWS Organizations1. By using the delegated administrator account, the DevOps engineer can centrally manage the conformance pack and prevent non-administrator users from modifying it in the member accounts. Option A is incorrect because creating a CloudFormation template that contains the AWS Config rules and remediation actions and deploying it from the Organizations management account by using CloudFormation StackSets will not prevent non-administrator users from modifying the AWS Config rules in the member accounts. Option B is incorrect because deploying the conformance pack from the Organizations management account by using CloudFormation StackSets will not use the trusted access feature of AWS Config and will require additional permissions and resources. Option C is incorrect because creating a CloudFormation template that contains the AWS Config rules and remediation actions and deploying it from the delegated administrator account by using AWS Config will not leverage the benefits of conformance packs, such as simplified deployment and management. References:

Conformance Packs - AWS Config

Certified DevOps Engineer - Professional (DOP-C02) Study Guide (page 176)

The following are the steps that the DevOps engineer should take to reduce the latency of the Lambda function at all times of the day:

Configure provisioned concurrency on the Lambda function.

Configure AWS Application Auto Scaling on the Lambda function with provisioned concurrency values set to a minimum of 1 and a maximum of 100.

The provisioned concurrency setting ensures that there is always a minimum number of Lambda function instances available to handle requests. The Application Auto Scaling setting will automatically scale the number of Lambda function instances up or down based on the demand for the application.

This solution will ensure that the Lambda function is able to handle the increased load during the middle of the day, while also keeping the cold-start latency low.

The following are the reasons why the other options are not correct:

Option A is incorrect because it will not reduce the cold-start latency of the Lambda function.

Option B is incorrect because it will not scale the number of Lambda function instances up or down based on demand.

Option D is incorrect because it will only configure reserved concurrency on the API Gateway API, which will not affect the Lambda function.

https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-cloudwatch.html

GetRecords.IteratorAgeMilliseconds - The age of the last record in all GetRecords calls made against a Kinesis stream, measured over the specified time period. Age is the difference between the current time and when the last record of the GetRecords call was written to the stream. The Minimum and Maximum statistics can be used to track the progress of Kinesis consumer applications. A value of zero indicates that the records being read are completely caught up.

This hook runs before the new application version is installed on the replacement instances. This is the best place to run the script because it ensures that the license file is downloaded and installed before the replacement instances start to handle request traffic. If you use any other hook, you may encounter errors or inconsistencies in your application.

The core problem described is deployment inconsistency and lack of reliability caused by using AWS Systems Manager Run Command for application deployment. Run Command executes ad hoc commands and does not provide deployment orchestration, version tracking, lifecycle hooks, or health-based traffic control, which commonly leads to drift between EC2 instances.

The most reliable AWS-native solution is to adopt AWS CodePipeline combined with AWS CodeDeploy . Option B introduces a structured CI/CD pipeline with a clear build stage followed by a test stage , ensuring that only tested artifacts progress to deployment. Sequential build and test stages are preferred for reliability and deterministic behavior, especially when test results must gate deployments.

Option C is essential because AWS CodeDeploy is the service specifically designed to deploy application revisions consistently across EC2 fleets. By creating a CodeDeploy application and deployment group and integrating it with the ALB, deployments gain support for lifecycle events, health checks, instance synchronization, and automatic rollback. This ensures that all EC2 instances receive the same application version and that traffic is managed safely during deployments.

Option A introduces unnecessary parallelism that does not address the core issue. Option D adds excessive complexity with Lambda orchestration. Option E incorrectly replaces CodeArtifact with S3 without addressing deployment reliability.

Therefore, combining CodePipeline (B) with CodeDeploy and ALB integration (C) provides consistent, repeatable, and reliable deployments aligned with AWS best practices.

Action-level states in events

Action state Description

STARTED The action is currently running.

SUCCEEDED The action was completed successfully.

FAILED For Approval actions, the FAILED state means the action was either rejected by the reviewer or failed due to an incorrect action configuration.

CANCELED The action was canceled because the pipeline structure was updated.

Mutual TLS (mTLS) authentication requires two-way authentication between the client and the server. For Amazon API Gateway, you can enable mTLS for a custom domain name, which requires clients to present X.509 certificates to verify their identity to access your API. To set up mTLS, you would typically use AWS Certificate Manager (ACM) to create a private certificate authority (CA) and provision a client certificate signed by this private CA. The root CA certificate is then uploaded to an Amazon S3 bucket and configured in API Gateway as the trust store12.

Introducing mutual TLS authentication for Amazon API Gateway1.

Configuring mutual TLS authentication for a REST API2.

AWS Private Certificate Authority details3.

AWS Certificate Manager Private Certificate Authority updates4.

Amazon FSx for NetApp ONTAP provides NetApp ONTAP features in AWS, including SnapMirror replication and storage efficiencies like deduplication and compression. Create FSx for ONTAP in each Region and use SnapMirror from on-prem ONTAP to each Region for efficient, incremental replication. Regions can serve data independently of on-prem availability once replicated.

The requirement is classic attribute-based access control (ABAC) : users should only access EC2 resources whose resource tag matches the user’s department attribute coming from IAM Identity Center (mapped into a principal/session tag like aws:PrincipalTag/department).

For EC2 resource authorization using tags, the correct pattern is to compare the EC2 resource tag condition key ec2:ResourceTag/department to the principal tag ${aws:PrincipalTag/department} . That is exactly what Option C does.

Why the other options are wrong:

A only checks that the tag key exists (aws:TagKeys) and does not enforce a match between user department and instance department.

B uses aws:ResourceTag/... rather than the EC2-specific tag key typically used for EC2 authorization decisions in EC2 actions (ec2:ResourceTag/...).

D restricts access to resources tagged as d1/d2/d3 but does not ensure the user can only access their own department.

This solution will meet the requirements because it will use a CloudFormation custom resource to execute custom logic during the stack set operation. A custom resource is a resource that you define in your template and that is associated with an AWS Lambda function. The Lambda function runs whenever the custom resource is created, updated, or deleted, and can perform any actions that are supported by the AWS SDK. In this case, the Lambda function can use the GuardDuty API to check whether GuardDuty is already enabled in each target account, and if not, enable it. This way, the DevOps engineer can avoid deploying the stack set to accounts that already have GuardDuty enabled, and prevent failure during the deployment.

Enabling EKS control plane logs to CloudWatch captures API requests. CloudWatch Container Insights collects node and pod-level performance data with no additional infrastructure. AWS recommends this integrated observability solution for minimal management overhead.

https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-auto-scaling.html

The company needs fast, proactive alerts for future performance issues, beyond basic EC2 metrics. Option A provides a complete, AWS-native monitoring pattern aligned with best practices:

Enable detailed monitoring on EC2 instances to increase metric resolution (from 5-minute to 1-minute intervals), improving the responsiveness of alarms.

Define custom CloudWatch metrics for application-level indicators such as request latency, error rate, queue depth, or throughput. These metrics can be published from the application or sidecar agents.

Create CloudWatch alarms on both infrastructure (CPU, network, disk) and custom application metrics with thresholds that reflect performance SLOs. Alarms can notify teams via SNS or incident management tools.

Use CloudWatch Logs Insights to analyze logs for recurring error patterns, slow requests, or exceptions when alarms fire.

Option B focuses on tracing and frontend RUM; while useful, it is more complex and not necessary just to get quick alerts. Option C uses services (CloudTrail, GuardDuty, Trusted Advisor) that are not focused on real-time performance detection. Option D with VPC Flow Logs is network-level and would not detect general application performance issues.

Thus, Option A offers a direct, efficient way to detect and alert on performance degradations quickly.

To allow developers to create IAM users without granting excessive permissions, the correct solution is to use permissions boundaries, which AWS specifically recommends for restricting delegated administrators such as developers. A permissions boundary defines the maximum permissions that an IAM user or role can delegate.

Step C ensures that each AWS account contains a PermissionBoundaries policy defining the maximum allowed permissions that any developer-created user may receive. This prevents privilege escalation, even if the developer attaches a more powerful policy. This aligns with AWS guidance for restricting privilege escalation within multi-account environments.

Step E ensures that developers can create IAM users but only if they attach the PermissionBoundaries policy as the permissions boundary. By attaching the DeveloperBoundary policy to the CreateAndManageUsers role, developers gain the ability to create users, but they are cryptographically prevented from assigning permissions outside the boundary policy.

Meanwhile, the DevOps team (who are not restricted by the boundary) can still create IAM users with full permissions.

This combination satisfies all constraints:

DevOps team: unrestricted IAM creation

Developers: restricted IAM creation enforced by boundaries

Other users: still blocked from IAM creation by existing SCP

AWS CodeDeploy natively supports automatic rollback based on CloudWatch alarms . To use this capability, you define an alarm that indicates unhealthy behavior (for example, increasing application error rate) and attach that alarm to the deployment group in CodeDeploy. If the alarm goes into ALARM state during or after a deployment, CodeDeploy automatically rolls back to the last known good revision when auto rollback is enabled.

Option A correctly implements this pattern:

Derive a CloudWatch metric from application logs (e.g., count of error-level log entries or HTTP 5xx responses).

Create a CloudWatch alarm on that metric with appropriate thresholds.

Configure the deployment group to use the alarm as part of its alarm configuration and enable auto rollback .

Option B uses CodeDeploy agent logs, which may not directly reflect true application health and couples rollback logic tightly to deployment internals rather than application behavior. Options C and D implement custom rollback logic with Lambda and EventBridge, which re-create behavior that CodeDeploy already provides natively and add unnecessary operational and code complexity.

Therefore, Option A is the simplest and most aligned with built-in CodeDeploy features for automated rollback based on application errors.

This solution will meet the requirements because it will use Amazon Inspector to scan the EC2 instances for any new vulnerabilities and generate findings that can be viewed in the Inspector console or sent as notifications via Amazon Simple Notification Service (SNS). It will also use the Amazon CloudWatch Agent to collect and send system logs from the EC2 instances to Amazon CloudWatch Logs, where they can be stored, searched, and analyzed. The system logs can provide an audit trail of all login activities on the instances, as well as other useful information such as performance metrics, errors, and events.

https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html

The root cause of the problem is that the RDS PostgreSQL instance is exceeding its database connection limit due to high volumes of concurrent GET requests. The most efficient and lowest-effort remediation is to reduce the number of connections that reach the database and serve as many reads as possible from a cache layer. Option B accomplishes both goals with minimal changes to the existing architecture.

First, RDS Proxy manages database connections efficiently by pooling and reusing them. This reduces connection churn and prevents the Lambda function from opening excessive concurrent connections during traffic spikes. RDS Proxy is natively integrated with RDS and requires only minor configuration changes without altering application logic.

Second, enabling API Gateway caching allows caching GET responses directly at the API layer. Because over 90% of requests are GET operations, enabling caching drastically reduces traffic hitting both Lambda and RDS, significantly improving performance and lowering connection pressure.

Option C also improves read scaling, but adding ElastiCache introduces additional infrastructure and requires modifying application code to query Redis before querying the database. This is more complex than enabling API Gateway caching. Options A and D require full database migration, which is far more labor-intensive.

Option B is the simplest, most effective, and most aligned with AWS best practices for reducing RDS connection saturation.

Option A is the most cost-effective solution. By configuring a warm pool of EC2 instances in the Stopped state, the company can reduce the time it takes for new instances to be ready to serve requests. When the Auto Scaling group launches a new instance, it can attach the stopped EC2 instance from the warm pool. The instance can then be started up immediately, rather than having to wait for the data to be downloaded and processed. This reduces the overall startup time for the application.

" AWS CodeArtifact operates in multiple Availability Zones and stores artifact data and metadata in Amazon S3 and Amazon DynamoDB. Your encrypted data is redundantly stored across multiple facilities and multiple devices in each facility, making it highly available and highly durable. " https://aws.amazon.com/codeartifact/features/ With no internet connectivity, a gateway endpoint becomes necessary to access S3.

 For deploying a Ruby-based application with requirements for interaction with an Amazon RDS for MySQL database, automatic scaling, high availability, and data persistence, the following steps will meet the requirements:

B. Deploy the application on AWS Elastic Beanstalk. Deploy a separate Amazon RDS for MySQL DB instance outside of Elastic Beanstalk. This approach ensures that the database persists independently of the Elastic Beanstalk environment, which can be torn down and recreated without affecting the database123.

E. Use the immutable deployment method to deploy new application versions. Immutable deployments provide a zero-downtime deployment method that ensures that if any part of the deployment process fails, the environment is rolled back to the original state automatically4.

D. Configure an Amazon EventBridge rule to monitor AWS Health events. Use an Amazon Simple Notification Service (Amazon SNS) topic as a target to alert the application team. This setup allows for automated monitoring and alerting of the application team in case of deployment failures or other health events56.

AWS Elastic Beanstalk documentation on deploying Ruby applications1.

AWS documentation on application auto-scaling7.

AWS documentation on automated deployment strategies with automatic rollbacks and alerts456.

https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html

ECS container instances must have an IAM role that trusts ECS (the ecs-tasks.amazonaws.com principal) to assume permissions for CloudWatch logging. Without this trust relationship, ECS cannot push logs even if the permissions are present.

The correct answer is B. Creating a new AWS CodeBuild project and configuring a test stage in the AWS CodePipeline pipeline that uses the new CodeBuild project is the best way to integrate the unit tests into the existing pipeline. Creating a CodeBuild report group and uploading the test reports to the new CodeBuild report group will produce reports about the unit tests for the company to view. Using JUNITXML as the output format for the unit tests is supported by CodeBuild and will generate a valid report.

Option A is incorrect because Amazon CodeGuru Reviewer is a service that provides automated code reviews and recommendations for improving code quality and performance. It is not a tool for running unit tests or producing test reports. Therefore, option A will not meet the requirements.

Option C is incorrect because AWS CodeArtifact is a service that provides secure, scalable, and cost-effective artifact management for software development. It is not a tool for running unit tests or producing test reports. Moreover, option C uses CUCUMBERJSON as the output format for the unit tests, which is not supported by CodeBuild and will not generate a valid report.

Option D is incorrect because uploading the test reports to an Amazon S3 bucket is not the best way to produce reports about the unit tests for the company to view. CodeBuild has a built-in feature to create and manage test reports, which is more convenient and efficient than using S3. Furthermore, option D uses HTML as the output format for the unit tests, which is not supported by CodeBuild and will not generate a valid report.

https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html#appspec-hooks-lambda

https://aws.amazon.com/quickstart/architecture/blue-green-deployment/

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

The question emphasizes “MOST securely” and involves a multi-account backup strategy with a centralized backup account. AWS Backup best practice for high-security environments is to use customer managed KMS keys for encrypting backup vaults rather than AWS managed keys. Customer managed keys provide tighter control over key lifecycle, key policies, and cross-account access.

Option A creates encrypted backup vaults in both the source and centralized accounts, each protected by a customer managed KMS key in that account. AWS Backup is then configured to create full EC2 backups (AMIs) and copy them to the centralized backup vault. This design ensures:

Encryption at rest in both accounts.

Independent key control and policies per account.

Secure cross-account backup copy behavior governed by explicit KMS key grants and vault access policies.

Option B incorrectly uses the source account’s KMS key to encrypt vaults in both accounts, which is not the recommended pattern; each account should manage its own CMK. Options C and D rely partially or fully on AWS managed keys, which are less appropriate when the requirement explicitly stresses maximum security and control.

Therefore, Option A best satisfies both the RPO/RTO goals (daily AMI backups with rapid restore) and the strongest encryption posture.

This failure is typically due to incorrectly configured health checks in Elastic Load Balancing for the Classic Load Balancer, Application Load Balancer, or Network Load Balancer used to manage traffic for the deployment group. To resolve the issue, review and correct any errors in the health check configuration for the load balancer. https://docs.aws.amazon.com/codedeploy/latest/userguide/troubleshooting-deployments.html#troubleshooting-deployments-allowtraffic-no-logs

To invoke many Lambda functions in parallel and allow each function to have independent retry logic and concurrency management, using SQS queues for each Lambda function is recommended.

The BeginResponse Lambda publishes a message to an SNS topic, which fans out to multiple SQS queues (one per Lambda).

Each Lambda function polls its own SQS queue, allowing fine-grained control of concurrency and retry behavior.

SNS alone (Option A) invokes Lambda functions but lacks the queue’s buffering and retry durability.

Step Functions (Option D) would invoke Lambdas sequentially, not in parallel, and add complexity.

Option C reverses SNS and SQS in an inefficient manner.

A. The CloudFormation template should be modified to include a parameter that indicates the location of the .zip file containing the Lambda function ' s code. This allows the CloudFormation deploy action to use the correct artifact depending on the region. This is critical because Lambda functions need to reference their code artifacts from the same region they are being deployed in. B. You would also need to create a new CloudFormation deploy action for the us-east-1 Region within the pipeline. This action should be configured to use the CloudFormation template from the artifact that was specifically created for us-east-1.

The correct answer is D. The scenario requires a solution that can migrate an application from on premises to AWS, run on specific versions of Apache Tomcat, HAProxy, and Varnish Cache, tune the operating system-level parameters, automate the deployment of new application versions, and scale and replace faulty servers automatically. Option D meets all these requirements by using AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, and Amazon EC2 Auto Scaling. AWS CodeCommit is a fully managed source control service that hosts Git repositories and works with Git-based tools. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services, including Amazon EC2, AWS Fargate, AWS Lambda, and on-premises servers. AWS CodePipeline is a fully managed continuous delivery service that helps automate the release pipelines for fast and reliable application updates. Amazon EC2 Auto Scaling helps maintain application availability and allows scaling of Amazon EC2 capacity up or down automatically according to the defined conditions. By using these services together, the DevOps engineer can migrate the application code to AWS, configure and install the necessary software using the appspec.yml file, automate the deployment process using the pipeline, and scale and replace the servers using the Auto Scaling group.

Option A is incorrect because AWS Fargate is a serverless compute engine for containers that works with Amazon ECS and Amazon EKS. Fargate removes the need to provision and manage servers, but it also limits the ability to tune the operating system-level parameters, which is a requirement in the scenario. Moreover, Fargate does not support HAProxy and Varnish Cache as sidecar containers, which are needed to run the application properly.

Option B is incorrect because AWS Elastic Beanstalk is a fully managed service that automates the deployment and scaling of web applications and services using familiar servers such as Apache, Nginx, Passenger, and IIS. However, Elastic Beanstalk does not support HAProxy and Varnish Cache as part of the Tomcat solution stack, which are needed to run the application properly. Moreover, Elastic Beanstalk web server tier environments are designed to serve HTTP requests, not to process background tasks, which is the purpose of worker tier environments.

Option C is incorrect because AWS Elastic Beanstalk worker tier environments are designed to process background tasks using a daemon process that runs on each Amazon EC2 instance in the environment. Worker tier environments are not suitable for running web applications that serve HTTP requests, which is the case in the scenario. Moreover, Elastic Beanstalk does not support HAProxy and Varnish Cache as part of the Tomcat solution stack, which are needed to run the application properly.

AWS CodeCommit

AWS CodeDeploy

AWS CodePipeline

Amazon EC2 Auto Scaling

AWS Fargate

AWS Elastic Beanstalk

To meet the requirements, the DevOps engineer needs to configure the CloudWatch alarm to stop the EC2 instances when the average of the NetworkPacketsIn metric is less than 5 for at least 3 hours in a 12-hour time window. This means that the alarm should trigger when 3 out of 12 datapoints are below the threshold of 5. The alarm should also treat missing data as not breaching the threshold, so that the EC2 instances continue to run if there is no data for the metric during the evaluation period. The DevOps engineer can add an EC2 action to stop the instance when the alarm enters the ALARM state, which is a built-in action type for CloudWatch alarms.

Option A is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring automatic rollbacks on the deployment group is not operationally efficient, as it requires manual intervention to fix the errors and redeploy the application.

Option B is correct because setting the deployment configuration to LambdaCanary10Percent10Minutes means that the new version of the application will be deployed to 10 percent of the Lambda functions first, and then to the remaining 90 percent after 10 minutes. This minimizes the impact of errors on customers, as only 10 percent of them will be affected by a faulty deployment. Configuring automatic rollbacks on the deployment group also meets the requirement of reverting to the most recent stable version of the application when an error is detected. Creating a CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway is a valid way to monitor the health of the application and trigger a rollback if needed.

Option C is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating an SNS topic to send notifications every time a deployment fails is not sufficient to detect errors in the application, as it does not monitor the API Gateway responses.

Option D is incorrect because configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating a metric filter on a CloudWatch log group for API Gateway to monitor HTTP Bad Gateway errors is a valid way to monitor the health of the application, but invoking a new Lambda function to perform a rollback is unnecessary and complex, as CodeDeploy already provides automatic rollback functionality.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

The requirement is to log and analyze Kubernetes control plane activity, including API requests, and to monitor container performance on the worker nodes with the least operational overhead.

Option B is correct because:

Amazon EKS control plane logging can send control plane logs, including API server logs, to Amazon CloudWatch.

CloudWatch Container Insights provides monitoring and performance visibility for containers, pods, nodes, and clusters.

CloudWatch Logs Insights can be used to query and analyze both control plane and node-related logs.

This is the most managed and lowest-overhead solution among the options.

Why the other options are incorrect:

A. CloudTrail is not the primary solution for Kubernetes control plane logs such as API server logs, and deploying Logstash increases operational overhead significantly.

C. Sending logs to Amazon S3 and analyzing them with Athena and QuickSight is more operationally complex and less direct than using native CloudWatch integrations.

D. AWS Distro for OpenTelemetry with Firehose and Redshift adds substantial complexity and operational overhead compared to native EKS and CloudWatch capabilities.

Having separate CodeArtifact repositories in dev and prod accounts provides clear isolation and control.

Repository policies can restrict dev repo access to developers.

EventBridge triggers pipelines to test and promote packages only if tests pass, ensuring safe deployment to production.

Using S3 (C and D) is not ideal for package management.

A single repo (A) complicates access and version control across accounts.

In the source AWS account, the IAM role used by the CI/CD pipeline should have permissions to access the source code repository, build artifacts, and any other resources required for the build process. In the destination AWS accounts, the IAM role used for deployment should have permissions to access the AWS resources required for deploying the application, such as EC2 instances, RDS databases, S3 buckets, etc. The exact permissions required will depend on the specific resources being used by the application. the IAM role used for deployment in the destination accounts should also have permissions to assume the IAM role for deployment in the centralized DevOps account. This is typically done using an IAM role trust policy that allows the destination account to assume the DevOps account role.

https://docs.aws.amazon.com/health/latest/ug/cloudwatch-events-health.html

To implement a more reliable deployment solution, a DevOps engineer should take the following actions:

Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as a source provider. Configure pipeline stages that run the CodeBuild project in parallel to build and test the application. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action. This action will improve the deployment reliability by automating the entire process from code commit to deployment, reducing human errors and inconsistencies. By running the build and test stages in parallel, the pipeline can also speed up the delivery time and provide faster feedback. By using CodeDeploy as the deployment action, the pipeline can leverage the features of CodeDeploy, such as traffic shifting, health checks, rollback, and deployment configuration123

Create an AWS CodeDeploy application and a deployment group to deploy the packaged code to the EC2 instances. Configure the ALB for the deployment group. This action will improve the deployment reliability by using CodeDeploy to orchestrate the deployment across multiple EC2 instances behind an ALB. CodeDeploy can perform blue/green deployments or in-place deployments with traffic shifting, which can minimize downtime and reduce risks. CodeDeploy can also monitor the health of the instances during and after the deployment, and automatically roll back if any issues are detected. By configuring the ALB for the deployment group, CodeDeploy can register and deregister instances from the load balancer as needed, ensuring that only healthy instances receive traffic45

The other options are not correct because they do not improve the deployment reliability or follow best practices. Creating separate pipeline stages that run a CodeBuild project to build and then test the application is not a good option because it will increase the pipeline execution time and delay the feedback loop. Creating individual Lambda functions that use CodeDeploy instead of Systems Manager to run build, test, and deploy actions is not a valid option because it will add unnecessary complexity and cost to the solution. Lambda functions are not designed for long-running tasks such as building or deploying applications. Creating an Amazon S3 bucket and modifying the CodeBuild project to store the packages in the S3 bucket instead of in CodeArtifact is not a necessary option because it will not affect the deployment reliability. CodeArtifact is a secure, scalable, and cost-effective package management service that can store and share software packages for application development67

1: What is AWS CodePipeline? - AWS CodePipeline

2: Create a pipeline in AWS CodePipeline - AWS CodePipeline

3: Deploy an application with AWS CodeDeploy - AWS CodePipeline

4: What is AWS CodeDeploy? - AWS CodeDeploy

5: Configure an Application Load Balancer for your blue/green deployments - AWS CodeDeploy

6: What is AWS Lambda? - AWS Lambda

7: What is AWS CodeArtifact? - AWS CodeArtifact

AWS Config offers a managed rule called CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK to detect stack drift automatically.

Creating an SNS topic and subscribing the DevOps lead enables simple notification without custom Lambda functions.

An EventBridge rule that triggers on NON_COMPLIANT status (when drift is detected) can send alerts directly to SNS. Option B adds complexity by requiring custom rules and Lambda. Option C incorrectly triggers on COMPLIANT, not NON_COMPLIANT. Option D needs a Lambda for email, while SNS can send email directly. Hence, Option A offers the least operational effort.

A: If the ApproximateAgeOfOldestMessages indicate that orders are remaining in the SQS queue for longer than expected, the reserved concurrency limit may be set too small to keep up with the number of orders entering the queue and is being throttled. D: The DynamoDB table is using Auto Scaling. With Auto Scaling, you create a scaling policy that specifies whether you want to scale read capacity or write capacity (or both), and the minimum and maximum provisioned capacity unit settings for the table. The ThottledWriteRequests metric will indicate if there is a throttling issue on the DynamoDB table, which can be resolved by increasing the maximum write capacity units for the table ' s Auto Scaling policy. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.html

Use custom constructs to encapsulate reusable patterns and deploy separate stacks per microservice for better isolation and environment-specific params. Apply tags programmatically at the app/stack/construct scope with Tags so all resources inherit them. This is the recommended CDK pattern to minimize duplication and maximize reusability.

Option A directly matches all requirements with the least extra infrastructure:

State Manager is the Systems Manager capability for defining and maintaining a desired configuration by running associations on a schedule (for example, hourly). That satisfies the “run periodically” requirement in a managed way across a large fleet.

The AWS-ApplyChefRecipes Systems Manager document is specifically intended to run Chef recipes/cookbooks on managed instances without requiring you to run your own Chef server infrastructure . You can point it at a cookbook source (such as an artifact/repo location) and have Systems Manager handle execution on the instances.

Why the other options aren’t correct:

B is not the right mechanism for periodic Chef cookbook execution. Installing an application package and running a “repair action” via Run Command is not the purpose-built Chef cookbook runner, and it’s more brittle/DIY than State Manager associations.

C ( AWS-RefreshAssociation ) is used to refresh/reevaluate association metadata/targets; it does not itself execute Chef cookbooks as the compliance mechanism.

D is for OS patching compliance (Patch Manager/patch policies), not for applying Chef cookbooks that detect and remediate configuration drift.

Verified Answer: A, C, and E.

Short Explanation: To improve the performance of the application, the DevOps engineer should use Amazon RDS Proxy, implement the database connection opening outside the Lambda event handler code, and connect to the proxy endpoint from the Lambda function.

Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure1. By using Amazon RDS Proxy, the DevOps engineer can reduce the overhead of opening and closing connections to the database, which can improve latency and throughput2.

The DevOps engineer should connect the proxy to the Aurora cluster reader endpoint, which allows read-only connections to one of the Aurora Replicas in the DB cluster3. This can help balance the load across multiple read replicas and improve performance for read-intensive workloads4.

The DevOps engineer should implement the database connection opening outside the Lambda event handler code, which means using a global variable to store the database connection object5. This can enable connection reuse across multiple invocations of the Lambda function, which can reduce latency and improve performance.

The DevOps engineer should connect to the proxy endpoint from the Lambda function, which is a unique URL that represents the proxy. This can allow the Lambda function to access the database through the proxy, which can provide benefits such as connection pooling, load balancing, failover handling, and enhanced security.

The other options are incorrect because:

Implementing database connection pooling inside the Lambda code is unnecessary and redundant when using Amazon RDS Proxy, which already provides connection pooling as a service.

Implementing the database connection opening and closing inside the Lambda event handler code is inefficient and costly, as it can increase latency and consume more resources for each invocation of the Lambda function.

Connecting to the Aurora cluster endpoint from the Lambda function is not optimal for read-only queries, as it can direct traffic to either the primary instance or one of the Aurora Replicas in the DB cluster. This can result in inconsistent performance and potential conflicts with write operations on the primary instance.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge (CloudWatch Events) rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic. This approach uses Amazon EventBridge (previously known as Amazon CloudWatch Events) to filter AWS Config evaluation results based on the restricted-ssh rule and its compliance status (NON_COMPLIANT). An input transformer can be used to customize the information contained in the notification, such as the name and ID of the noncompliant security group. The EventBridge (CloudWatch Events) rule can then be configured to publish a notification to the SNS topic, which will notify the appropriate personnel in real-time.

To restore the functionality of the Auto Scaling group after the AMI was deleted, the DevOps engineer needs to create a new AMI and update the Auto Scaling group to use it. The DevOps engineer can create a new AMI by copying the most recent public AMI of the operating system that the EC2 instances use. This will ensure that the new AMI has the same operating system as the custom AMI that was deleted. The DevOps engineer can then create a new launch template that uses the new AMI and update the Auto Scaling group to use the new launch template. This will allow the Auto Scaling group to launch new instances with the new AMI.

These are the possible causes for the AccessDenied error because they affect the permissions to access the S3 object from the EC2 instance. An S3 bucket policy is a resource-based policy that defines who can access the bucket and its objects, and what actions they can perform. An IAM role is an identity that can be assumed by an EC2 instance to grant it permissions to access AWS services and resources. If there is an error in the S3 bucket policy or the IAM role configuration, such as a missing or incorrect statement, condition, or principal, then the EC2 instance may not have the necessary permissions to download the object from the S3 bucket .

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-s3-custom-resources/

Amazon S3 can generate server access logs that record detailed information about each request, including requester, bucket, key, operation, time, and status. These logs are written as objects to an S3 bucket. To analyze access patterns, the simplest and most serverless approach is to use Amazon Athena directly on those logs without building ingestion pipelines or databases.

Option B enables S3 server access logging and then creates an Athena external table over the log bucket. AWS provides standard log formats and even example schemas for S3 access logs. The analytics team can run ad hoc SQL queries to count the number of accesses per object per time period, filter by user, and perform aggregations, all without provisioning compute or managing databases.

Option A requires ingesting logs into Aurora, which adds ETL complexity and ongoing database management. Option C requires a Lambda function for every access event plus DB writes, which is more complex and potentially expensive at scale. Option D uses CloudWatch Logs and Managed Flink, which is more suited for streaming analytics and is significantly more complex than necessary for monthly summary reports.

Therefore, Option B provides the required analysis with the least development and operational effort.

AWS CDK recommends using Level 3 (L3) custom constructs to encapsulate reusable multi-resource infrastructure patterns (networking, compute, DB). Then, define a single set of environment-aware stacks that accept environment parameters for deployment. This ensures consistency with minimal code duplication, per AWS CDK best practices and design patterns whitepaper.

Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get-login-password AWS CLI command to obtain an authentica-tion token. Update the docker login command to use the authentication token to access the ECR repository.

This is the correct solution. The aws ecr get-login-password AWS CLI command retrieves and displays an authentication token that can be used to log in to an ECR repository. The docker login command can use this token as a password to authenticate with the ECR repository. This way, the CodeBuild project can push and pull images from the ECR repository without any errors. For more information, see Using Amazon ECR with the AWS CLI and get-login-password.

Running unit tests in the build phase and aborting on failure (OnFailure=ABORT) prevents deployment if tests fail.

AWS CDK assertions module provides programmatic unit tests against synthesized templates (Option D).

The --rollback flag relates to CloudFormation stack rollback, not test gating.

The --require-approval flag controls manual approvals, not test outcomes.

cdk diff checks for changes but is not a unit test and may not catch logical errors.

The current design colocates the web tier, database, and cache on the same EC2 instances. This causes resource contention and makes it difficult to scale each layer independently. The correct solution is to separate these concerns into independently scalable managed services.

Option D uses an Application Load Balancer (ALB) in front of an Auto Scaling group for the web application. ALB is designed for HTTP/HTTPS traffic, supports path-based and host-based routing, and can spread load evenly across multiple instances and Availability Zones, eliminating the issue where one instance is overloaded.

The database is migrated to Amazon Aurora with Multi-AZ , which provides high availability, automated failover, and managed backups. Aurora offloads database management and ensures consistent performance.

For caching, Option D introduces Amazon ElastiCache for Redis , a managed in-memory cache that is purpose-built for low-latency reads, independent scaling, and high availability through replication and clustering.

Option A and C misuse NLB for HTTP traffic or for Redis exposure and introduce unnecessary complexity. Option B keeps Redis on EC2 (via NLB + ASG in a single AZ), which reduces availability and does not leverage managed caching.

Thus, Option D best separates tiers and improves performance and availability.

https://docs.aws.amazon.com/cli/latest/reference/cloudformation/continue-update-rollback.html For a specified stack that is in the UPDATE_ROLLBACK_FAILED state, continues rolling it back to the UPDATE_ROLLBACK_COMPLETE state. Depending on the cause of the failure, you can manually fix the error and continue the rollback. By continuing the rollback, you can return your stack to a working state (the UPDATE_ROLLBACK_COMPLETE state), and then try to update the stack again.

A bucket policy is a resource-based policy that defines who can access a specific S3 bucket and what actions they can perform on it. By removing unauthenticated access from the bucket policy, you can prevent anyone without valid credentials from accessing the bucket. A service role is an IAM role that allows an AWS service, such as CodeBuild, to perform actions on your behalf. By modifying the service role for the CodeBuild project to include Amazon S3 access, you can grant the project permission to read and write objects in the S3 bucket. The AWS CLI is a command-line tool that allows you to interact with AWS services, such as S3, using commands in your terminal. By using the AWS CLI to download the database population script, you can leverage the service role credentials and encryption to secure the data transfer.

For more information, you can refer to these web pages:

[Using bucket policies and user policies - Amazon Simple Storage Service]

[Create a service role for CodeBuild - AWS CodeBuild]

[AWS Command Line Interface]

The best solution to log and review all stopped tasks for errors is to use Amazon EventBridge and Amazon CloudWatch Logs. Amazon EventBridge allows the DevOps engineer to create a rule that matches task state change events from Amazon ECS. The rule can then send the event data to Amazon CloudWatch Logs as the target. Amazon CloudWatch Logs can store and monitor the log data, and also provide CloudWatch Logs Insights, a feature that enables the DevOps engineer to interactively search and analyze the log data. Using CloudWatch Logs Insights, the DevOps engineer can filter and aggregate the log data based on various fields, such as cluster, task, container, and reason. This way, the DevOps engineer can easily identify and investigate the stopped tasks and their errors.

The other options are not as effective or efficient as the solution in option A. Option B is not suitable because the embedded metric format is designed for custom metrics, not for logging task state changes. Option C is not feasible because the EC2 instances do not store the task state change events in their logs. Option D is not relevant because the EC2_INSTANCE_TERMINATING lifecycle hook is triggered when an EC2 instance is terminated by the Auto Scaling group, not when a task is stopped by Amazon ECS.

Creating a CloudWatch Events Rule That Triggers on an Event - Amazon Elastic Container Service

Sending and Receiving Events Between AWS Accounts - Amazon EventBridge

Working with Log Data - Amazon CloudWatch Logs

Analyzing Log Data with CloudWatch Logs Insights - Amazon CloudWatch Logs

Embedded Metric Format - Amazon CloudWatch

Amazon EC2 Auto Scaling Lifecycle Hooks - Amazon EC2 Auto Scaling

AWS X-Ray provides distributed tracing, which allows visualization of latencies and errors within microservices, pinpointing bottlenecks or delays.

Instrumenting application code with the X-Ray SDK and running the X-Ray daemon as a DaemonSet in EKS ensures tracing data is collected cluster-wide.

Container Insights (Option B) provides resource-level metrics but not detailed request tracing.

CloudWatch alarms and alerts (Option C) detect symptoms but don ' t provide root cause tracing.

Increasing timeouts (Option D) only masks the issue and does not diagnose it.

A (S3 RTC) is required to meet the “replicated within 15 minutes” requirement in a verifiable way. Replication Time Control is the S3 feature that provides a 15-minute replication time SLA for replicated objects (instead of “best effort” replication timing).

B (S3 Multi-Region Access Point, active-passive) provides the most operationally efficient failover approach. An MRAP gives you a single global access point for S3 across Regions and supports controlled routing to the chosen bucket, avoiding custom DNS logic per application/client.

C (SubmitMultiRegionAccessPointRoutes) is the mechanism to perform failover for an MRAP by changing which Regional bucket is routed for the Multi-Region Access Point. This gives an explicit, API-driven “fail over now” action aligned with active-passive routing.

Why the others aren’t part of the “most operationally efficient” three:

D (Transfer Acceleration) optimizes upload/download performance over long distances , but it does not guarantee cross-Region replication within 15 minutes and doesn’t provide failover control.

E and F (Route 53 ARC) : ARC is great for controlling failover for endpoints behind routing controls, but for S3 bucket access the more direct and operationally simple approach is S3 Multi-Region Access Points with route updates via the S3 API. Using ARC here adds extra components/process compared to MRAP-native routing control.

The requirement is to prevent any product files containing unannounced product IDs (prefixed with a specific UUID) from being stored in the production S3 bucket that users can access.

To achieve this, a best practice is to use a staging bucket as a control point before files go to production, combined with Amazon Macie’s data classification capabilities.

Creating a custom data identifier in Amazon Macie allows precise detection of product IDs starting with the specific UUID, which default managed identifiers will not detect.

By running a Macie sensitive data discovery job on the staging bucket, you can identify files containing these sensitive product IDs.

Only files without findings (i.e., files that do not contain unannounced product IDs) are copied to the production bucket, ensuring no sensitive information is exposed. This approach aligns with AWS best practices for data classification and staged deployment workflows, maximizing control and reducing risk. Using Macie on the production bucket directly (options B and D) risks exposing sensitive data before detection and deletion. Option C uses managed data identifiers, which will likely not detect the custom UUID prefix pattern.

Reference from AWS Official Documentation and Study Guide:

Amazon Macie Custom Data Identifiers: " You can create custom data identifiers in Amazon Macie to find sensitive data that is unique to your organization. " (Amazon Macie User Guide)

Data Security Best Practices: " Use staging environments to inspect and sanitize data before moving it to production to reduce exposure risks. " (AWS Security Best Practices)

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html?icmpid=docs_orgs_console

SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Options C and D are not as effective because IAM permission boundaries are applied to IAM entities (users, groups, and roles), not the account itself, and must be applied to all IAM entities in the account.

Option A is incorrect because EventBridge rules cannot filter events based on the message body or attributes of the target service. Therefore, configuring an SNS subscription filter policy to match the CloudFormation stack will not work. The SNS topic will receive all events from the EventBridge rule, regardless of the stack name or drift status.

Option B is incorrect because it introduces unnecessary complexity and cost. Creating a second Lambda function to query the CloudFormation API for the drift detection results is redundant, since CloudFormation already publishes drift detection events to EventBridge. Moreover, invoking two Lambda functions every hour will incur more charges than invoking one.

Option C is incorrect because GuardDuty does not provide drift detection for CloudFormation stacks. GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It does not monitor or report on configuration changes or drifts in CloudFormation stacks.

Option D is correct because it leverages AWS Config and its managed rule for drift detection. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It can detect configuration changes and drifts in CloudFormation stacks using the cloudformation-stack-drift-detection-check managed rule. This rule triggers an AWS Config event when a stack drifts from its expected template configuration. By creating a second EventBridge rule that reacts to this event for the specific stack, the DevOps engineer can configure the SNS topic as a target and receive a notification as soon as possible when drift is detected.

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.

Allow polices are passing down to children ONLY if they don ' t have an allow policy.

Deny policies always pass down to children.

That ' s why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it ' s not A. It ' s not D because it restricts the wrong OU.

This solution meets the requirements in the most operationally efficient manner by automating the application restart process on the instances without restarting them. When the CloudWatch alarm enters the ALARM state, the EventBridge rule is triggered, which in turn invokes the Systems Manager Automation runbook that contains the script to restart the application on the instances.

https://docs.aws.amazon.com/config/latest/developerguide/ec2-ebs-encryption-by-default.html

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#LambdaFunctionExample

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

The most operationally efficient solution is to use AWS Systems Manager Parameter Store1 to store the AMI ID and reference it in the launch template2. This way, the launch template does not need to be updated every time a new AMI is created by Image Builder. Instead, the Image Builder pipeline can update the Parameter Store value with the newest AMI ID3, and the Auto Scaling group can launch instances using the latest value from Parameter Store.

The other solutions require updating the launch template or creating a new version of it every time a new AMI is created, which adds complexity and overhead. Additionally, using EventBridge rules and Lambda functions or Run Command documents introduces additional dependencies and potential points of failure.

 1: AWS Systems Manager Parameter Store 2: Using AWS Systems Manager parameters instead of AMI IDs in launch templates 3: Update an SSM parameter with Image Builder

The correct answer is A.

Option A is correct because it meets the requirements with the most operational efficiency. Updating the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction is a simple and cost-effective way to collect the data needed for the dashboard. Using CloudWatch Logs Insights to query the log group and to visualize the results in a pie chart format is also a convenient and integrated solution that leverages the existing CloudWatch dashboards. Attaching the results to the desired CloudWatch dashboard is straightforward and does not require any additional steps or services.

Option B is incorrect because it introduces unnecessary complexity and cost. Updating the ecommerce application to emit a JSON object to an Amazon S3 bucket for each processed transaction is a valid way to store the data, but it requires creating and managing an S3 bucket and its permissions. Using Amazon Athena to query the S3 bucket and to visualize the results in a pie chart format is also a valid way to analyze the data, but it incurs charges based on the amount of data scanned by each query. Exporting the results from Athena and attaching them to the desired CloudWatch dashboard is also an extra step that adds more overhead and latency.

Option C is incorrect because it uses AWS X-Ray for an inappropriate purpose. Updating the ecommerce application to use AWS X-Ray for instrumentation is a good practice for monitoring and tracing distributed applications, but it is not designed for aggregating product transaction details. Creating a new X-Ray subsegment and adding an annotation for each processed transaction is possible, but it would clutter the X-Ray service map and make it harder to debug performance issues. Using X-Ray traces to query the data and to visualize the results in a pie chart format is also possible, but it would require custom code and logic that are not supported by X-Ray natively. Attaching the results to the desired CloudWatch dashboard is also not supported by X-Ray directly, and would require additional steps or services.

Option D is incorrect because it introduces unnecessary complexity and cost. Updating the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction is a simple and cost-effective way to collect the data needed for the dashboard, as in option A. However, creating an AWS Lambda function to aggregate and write the results to Amazon DynamoDB is redundant, as CloudWatch Logs Insights can already perform aggregation queries on log data. Creating a Lambda subscription filter for the log file is also redundant, as CloudWatch Logs Insights can already access log data directly. Attaching the results to the desired CloudWatch dashboard would also require additional steps or services, as DynamoDB does not support native integration with CloudWatch dashboards.

S3 cross-Region replication (CRR) automatically replicates data between buckets across different AWS Regions. To enable CRR, you need to add a replication configuration to your source bucket that specifies the destination bucket, the IAM role, and the encryption type (optional). You also need to grant permissions to the IAM role to perform replication actions on both the source and destination buckets. Additionally, you can choose the destination storage class and enable additional replication options such as S3 Replication Time Control (S3 RTC) or S3 Batch Replication. https://medium.com/cloud-techies/s3-same-region-replication-srr-and-cross-region-replication-crr-34d446806bab https://aws.amazon.com/getting-started/hands-on/replicate-data-using-amazon-s3-replication/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html

Amazon CloudWatch Logs now supports data protection policies that can mask sensitive data in logs at ingestion time using custom data identifiers. By creating a custom data identifier matching the employee ID pattern (Emp-\d{6}), the administrator can mask those patterns in new log entries automatically.

Assigning an IAM policy that denies the logs:Unmask action to engineers prevents them from seeing unmasked sensitive data, enforcing least privilege access.

This approach is operationally efficient because it uses built-in CloudWatch Logs data protection capabilities without the need for complex custom code or manual log filtering.

Option C requires writing and managing Lambda functions for log transformation, increasing operational overhead. Option D is more complex and reactive rather than preventing the sensitive data exposure. Option B incorrectly references NotAction and managed identifiers that may not match the custom pattern.

https://aws.amazon.com/blogs/mt/how-to-set-up-aws-opsworks-stacks-auto-healing-notifications-in-amazon-cloudwatch-events/

Amazon ECR enhanced scanning uses Amazon Inspector for vulnerability detection.

EventBridge can capture Inspector scan findings.

Lambda can process scan findings and reject manual approval if critical vulnerabilities exist.

Options A and C use incorrect or less integrated services (basic scanning or Detective).

Option B adds unnecessary complexity with SBOM and Athena.

https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/ https://kreuzwerker.de/post/aws-multi-account-setups-reloaded

These solutions will meet the requirement because they will prevent the loss of notification messages in the future. An Amazon SQS queue is a service that provides a reliable, scalable, and secure message queue for asynchronous communication between distributed components. You can use an SQS queue to buffer messages from an SNS topic and ensure that they are delivered and processed by a Lambda function, even if the function or the database is temporarily unavailable.

Option C will configure an SQS dead-letter queue for the SNS topic. A dead-letter queue is a queue that receives messages that could not be delivered to any subscriber after a specified number of retries. You can use a dead-letter queue to store and analyze failed messages, or to reprocess them later. This way, you can avoid losing messages that could not be delivered to the Lambda function due to network errors, throttling, or other issues.

Option D will subscribe an SQS queue to the SNS topic and configure the Lambda function to process messages from the SQS queue. This will decouple the SNS topic from the Lambda function and provide more flexibility and control over the message delivery and processing. You can use an SQS queue to store messages from the SNS topic until they are ready to be processed by the Lambda function, and also to retry processing in case of failures. This way, you can avoid losing messages that could not be processed by the Lambda function due to database errors, timeouts, or other issues.

The key requirement is to shift a small percentage of traffic to a new version first to validate changes before rolling out to the entire ECS service, thereby reducing downtime and deployment risk. For ECS services behind an Application Load Balancer, the AWS-recommended and most reliable approach is to use AWS CodeDeploy with blue/green or canary deployments .

Option B directly addresses this requirement. By configuring the ECS service to use CodeDeploy as the deployment controller , CodeDeploy can manage traffic shifting between two ALB target groups: one for the current (stable) version and one for the new version. The CodeDeployDefault.ECSCanary10Percent15Minutes deployment configuration initially routes 10% of production traffic to the new task set, monitors the deployment for issues, and then shifts the remaining traffic after the defined interval. This enables early detection of application errors while limiting user impact.

Option A and C rely on rolling updates , which replace tasks incrementally but do not provide precise traffic control or automated rollback based on health checks. Option D’s slow start setting only affects how quickly targets receive traffic after registration and does not implement true canary testing.

Therefore, using AWS CodeDeploy with ECS canary deployments is the most robust, AWS-supported solution to test changes safely before full rollout.

This solution will meet the requirements because it will use CloudFormation nested stacks and stack sets to deploy the templates more efficiently and consistently across multiple regions. Nested stacks allow the company to separate out common components and reuse templates, while stack sets allow the company to create stacks in multiple accounts and regions with a single template. The company can also use Amazon SNS to send notifications to the data engineering team whenever a change is made to the templates or the stacks. Amazon SNS is a service that allows you to publish messages to subscribers, such as email addresses, phone numbers, or other AWS services. By using Amazon SNS, the company can ensure that the data engineering team is aware of all changes to the templates and can take appropriate actions if needed. What is Amazon SNS? - Amazon Simple Notification Service

AWS CloudWatch Events can be used to monitor events across different AWS resources, and a CloudWatch Event Rule can be created to trigger an AWS Lambda function when a deployment issue is detected in the pipeline. The Lambda function can then evaluate the issue and send a notification to the appropriate stakeholders through an Amazon SNS topic. This approach allows for real-time notifications and faster resolution times.

The following are the steps that the DevOps engineer should take to ensure that all EBS volumes always have the Backup_Frequency tag so that the company can perform backups at least weekly unless a different value is specified:

Set up AWS Config in the account.

Use a managed rule that returns a compliance failure for EC2::Volume resources that do not have a Backup Frequency tag applied.

Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.

The managed rule AWS::Config::EBSVolumesWithoutBackupTag will return a compliance failure for any EBS volume that does not have the Backup_Frequency tag applied. The remediation action will then use the Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly to the EBS volume.

because of " as few maintenance tasks as possible on the underlying infrastructure " . Fargate does that better than " one centralized application server "

To meet the requirements of migrating its on-premises Windows and Linux applications to AWS and creating a pilot light DR environment in another AWS Region, the company should use Amazon FSx for NetApp ONTAP for the application storage. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, high-performing, and feature-rich file storage built on NetApp’s popular ONTAP file system. FSx for ONTAP supports multiple protocols, including SMB for Windows and NFS for Linux, so the company can access the shared storage from both types of applications. FSx for ONTAP also supports NetApp SnapMirror replication, which enables the company to replicate the storage to the DR Region. NetApp SnapMirror replication is efficient, secure, and incremental, and it preserves the data deduplication and compression benefits of FSx for ONTAP. The company can use automation to launch and configure the EC2 instances in the DR Region and then use NetApp SnapMirror to restore the data from the primary Region.

The other options are not correct because they do not meet the requirements or follow best practices. Using Amazon S3 for the application storage is not a good option because S3 is an object storage service that does not support SMB or NFS protocols natively. The company would need to use additional services or software to mount S3 buckets as file systems, which would add complexity and cost. Using Amazon EBS for the application storage is also not a good option because EBS is a block storage service that does not support SMB or NFS protocols natively. The company would need to set up and manage file servers on EC2 instances to provide shared access to the EBS volumes, which would add overhead and maintenance. Using a Volume Gateway in AWS Storage Gateway for the application storage is not a valid option because Volume Gateway does not support SMB protocol. Volume Gateway only supports iSCSI protocol, which means that only Linux applications can access the shared storage.

1: What is Amazon FSx for NetApp ONTAP? - FSx for ONTAP

2: Amazon FSx for NetApp ONTAP

3: Amazon FSx for NetApp ONTAP | NetApp

4: AWS Announces General Availability of Amazon FSx for NetApp ONTAP

Replicating Data with NetApp SnapMirror - FSx for ONTAP

What Is Amazon S3? - Amazon Simple Storage Service

What Is Amazon Elastic Block Store (Amazon EBS)? - Amazon Elastic Compute Cloud

What Is AWS Storage Gateway? - AWS Storage Gateway

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

CodePipeline V2 with QUEUED mode ensures that new executions wait for the previous execution to finish, preventing overlapping runs.

Adding a trigger filter to listen for Git tags triggers the pipeline only on new tag pushes.

An EventBridge rule can detect new image pushes to ECR and start the deployment pipeline, integrating the build and deploy pipelines effectively.

SUPERSEDED mode cancels the previous run when a new one starts, which is not desired here.

Using branches instead of tags would trigger on all commits, not just releases.

The startup delay occurs because large container images must be pulled from Amazon ECR when pods are scheduled, especially on newly added nodes that do not have cached images. To consistently reduce pod startup time to seconds, container images must be prefetched directly onto the worker nodes that run the pods, not the EKS control plane.

Amazon EKS control plane nodes are fully managed by AWS and cannot be accessed or modified using AWS Systems Manager. Therefore, any solution that attempts to run Systems Manager commands on control plane nodes is invalid. Prefetching must target the EKS worker nodes (EC2 instances in managed node groups) where container images are actually stored and used.

Option C correctly creates an IAM role that allows Amazon EventBridge to invoke AWS Systems Manager to run commands on the EKS worker nodes. By using Systems Manager State Manager associations with node tags , the automation dynamically targets both existing nodes and newly added nodes that inherit the same tags. This ensures that container images are pulled immediately when a new image is pushed to ECR or when new nodes join the cluster.

Option B incorrectly targets nodes based on machine size, which is not reliable for lifecycle automation. Options A and D incorrectly reference control plane nodes, which cannot be managed with Systems Manager.

Therefore, Option C is the correct and AWS-aligned solution to ensure fast pod startup times across all nodes.

AWS Secrets Manager supports managed rotation using Lambda templates for ElastiCache (Redis). Secrets Manager can integrate with Parameter Store using references ({{resolve:secretsmanager:...}}). This ensures automatic rotation with minimal management.

(A) When Docker communicates with an Amazon Elastic Container Registry (ECR) repository, it requires authentication. You can authenticate your Docker client to the Amazon ECR registry with the help of the AWS CLI (Command Line Interface). Specifically, you can use the " aws ecr get-login-password " command to get an authorization token and then use Docker ' s " docker login " command with that token to authenticate to the registry. You would need to perform these steps in your buildspec.yml file before attempting to push or pull images from/to the ECR repository.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html

https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html

The company needs multi-Region data persistence with immediate propagation and minimal operational overhead. For S3, the correct mechanism is S3 replication (Cross-Region Replication or Same-Region Replication), which continuously and asynchronously replicates new objects as they are written. Configuring two-way replication between the primary and secondary Region buckets ensures that objects written in either Region are replicated to the other automatically without custom code.

For DynamoDB, the native solution for multi-Region replication is DynamoDB global tables . Global tables provide multi-master, multi-Region replication with low-latency reads and writes in each Region and automatic propagation of changes. Converting existing tables into global tables and adding the secondary Region as a replica gives immediate, managed cross-Region replication with minimal maintenance.

Option A combines these two fully managed features: two-way S3 replication and DynamoDB global tables. This yields the highest operational efficiency.

Options B, C, and D rely on S3 Batch Operations or DynamoDB Streams + Lambda to manually copy data cross-Region. These approaches add complexity, custom code, and operational risk, and they are less suitable when AWS provides managed replication mechanisms specifically designed for this purpose.

Therefore, Option A is the correct and most efficient solution.

This solution will meet the requirements in the most operationally efficient manner because it will use CloudWatch Logs destination to aggregate the log groups from all the accounts to a single S3 bucket in the logging account. However, unlike option A, this solution will create a CloudWatch Logs destination for each region, instead of a single destination for all regions. This will improve the performance and reliability of the log delivery, as it will avoid cross-region data transfer and latency issues. Moreover, this solution will use an Amazon Kinesis data stream and an Amazon Kinesis Data Firehose delivery stream for each region, instead of a single stream for all regions. This will also improve the scalability and throughput of the log delivery, as it will avoid bottlenecks and throttling issues that may occur with a single stream.

Option A is incorrect because creating an Amazon EventBridge rule that invokes an AWS Lambda function to query the applications on a 5-minute interval is not a valid solution. EventBridge rules can only trigger Lambda functions based on events, not on time intervals. Moreover, querying the applications on a 5-minute interval might incur unnecessary costs and network overhead, and might not detect performance issues in real time.

Option B is correct because creating an Amazon CloudWatch Synthetics canary that runs a custom script to query the applications on a 5-minute interval is a valid solution. CloudWatch Synthetics canaries are configurable scripts that monitor endpoints and APIs by simulating customer behavior. Canaries can run as often as once per minute, and can measure the latency and availability of the applications. Canaries can also send notifications to an Amazon SNS topic when they detect errors or performance issues1.

Option C is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution. The RequestCountPerTarget metric measures the number of requests completed or connections made per target in a target group2. This metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the number of connections becomes greater than the configured number of threads that the application supports is not a valid way to measure the application performance, as it depends on the application design and implementation.

Option D is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution, for the same reason as option C. The RequestCountPerTarget metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the average response time becomes greater than the longest response time that the application supports is not a valid way to measure the application performance, as it does not account for variability or outliers in the response time distribution.

https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-groups.html

The correct answer is C. Updating the SCP in the child OU to allow all actions for Amazon EC2 will enable the DevOps engineer to launch the EC2 instance in the vendor-data account. SCPs are applied to OUs and accounts in a hierarchical manner, meaning that the SCPs attached to the parent OU are inherited by the child OU and accounts. Therefore, the SCP in the child OU overrides the SCP in the root OU and denies all actions except for DynamoDB and Lambda. By adding EC2 to the allowed actions in the child OU’s SCP, the DevOps engineer can access EC2 resources in the vendor-data account.

Option A is incorrect because attaching the AmazonEC2FullAccess IAM policy to the IAM user will not grant the user access to EC2 resources. IAM policies are evaluated after SCPs, so even if the IAM policy allows EC2 actions, the SCP will still deny them.

Option B is incorrect because creating a new SCP that allows all actions for EC2 and attaching it to the vendor-data account will not work. SCPs are not cumulative, meaning that only one SCP is applied to an account at a time. The SCP attached to the account will be the SCP attached to the OU that contains the account. Therefore, option B will not change the SCP that is applied to the vendor-data account.

Option D is incorrect because creating a new SCP that allows all actions for EC2 and attaching it to the root OU will not work. As explained earlier, the SCP in the child OU overrides the SCP in the root OU and denies all actions except for DynamoDB and Lambda. Therefore, option D will not affect the SCP that is applied to the vendor-data account.

The Amazon SQS service publishes several standard CloudWatch metrics by default, including ApproximateNumberOfMessagesVisible, which represents the number of messages available for retrieval from the queue (i.e., the number of messages waiting to be processed). This is the primary metric to monitor queue backlog and processing delays.

Using ApproximateNumberOfMessagesVisible to monitor the visible messages in the queue gives a direct and near real-time indication of processing delays or backlog.

CloudWatch metrics are automatically collected and available without the need to create custom metrics or Lambda functions, which increases operational efficiency by reducing complexity and maintenance overhead.

Setting a CloudWatch alarm on this metric with a static threshold and a reasonable evaluation period (such as 1 hour) is sufficient to alert the team when the queue grows beyond an expected size.

The alarm can be directly configured to send notifications to an existing SNS topic, maintaining seamless integration with the team’s alerting mechanisms.

The ApproximateNumberOfMessagesDelayed metric refers to messages that are delayed and not available for processing yet due to delay settings, which is not the direct backlog that causes business process delays.

Options C and D introduce unnecessary complexity by requiring Lambda functions and custom metrics or scheduled invocations, which reduce operational efficiency compared to using built-in CloudWatch metrics and alarms.

Reference from AWS Official Documentation and Study Guide:

Amazon SQS Monitoring with CloudWatch Metrics: " Amazon SQS automatically sends metrics to CloudWatch, including ApproximateNumberOfMessagesVisible, which shows the number of messages available for retrieval. " (Source: Amazon SQS Monitoring - AWS Documentation)

Setting CloudWatch Alarms for SQS Queues: " You can create CloudWatch alarms on SQS metrics such as ApproximateNumberOfMessagesVisible to receive notifications when the queue size exceeds a threshold. " (Source: Amazon CloudWatch Alarms - AWS Documentation)

AWS DevOps Engineer Professional Exam Guide: " Efficient alerting for queue backlogs should leverage native CloudWatch metrics to minimize operational overhead. " (Source: Official AWS Certified DevOps Engineer Professional Study Guide)

AWS Device Farm provides a fully managed environment for automated and manual app testing across real physical devices. It integrates directly with AWS CodePipeline and automatically scales based on test concurrency. AWS documentation recommends Device Farm for mobile app testing due to its scalability and zero infrastructure management.

The requirement is to deploy a stateless application with multi-Region fault tolerance , ensuring high availability even if an entire AWS Region becomes unavailable. For this design, traffic must be actively served from both Regions, not only during a failure event.

Option C correctly implements an active-active, multi-Region architecture . By deploying the application to both EKS clusters , each Region is capable of serving traffic independently. Using Amazon Route 53 weighted routing , traffic is distributed across both Application Load Balancers, allowing both Regions to handle requests simultaneously. If one Region becomes unhealthy, Route 53 health checks can stop routing traffic to that Region, maintaining availability.

Implementing Kubernetes readiness and liveness probes ensures that traffic is only sent to healthy pods within each cluster. This provides fault tolerance at both the container level (pod health) and the Regional level (Route 53 routing).

Option A uses a failover routing policy, which results in an active-passive design. While fault tolerant, it does not utilize both Regions simultaneously and provides slower recovery during Region failure. Options B and D deploy the application only in the primary Region, which does not meet multi-Region fault tolerance requirements.

Therefore, Option C delivers the most resilient, highly available, and AWS-recommended architecture for a stateless, multi-Region EKS application.

The engineer should make the following changes to achieve a policy of least permission:

A: Add a condition to ensure that the principal making the request is an AWS Lambda function. This ensures that only Lambda functions can execute this policy.

B: Narrow down the resources by specifying the ARN of EC2 instances instead of allowing all resources. This ensures that the policy only affects EC2 instances.

D: Add a condition to ensure that this policy only applies to EC2 instances tagged with “Environment: NonProduction”. This ensures that production environments are not affected by this policy.

AWS Identity and Access Management (IAM) - AWS Documentation

Certified DevOps Engineer - Professional (DOP-C02) Study Guide (page 179)

Step 1: Reacting to RDS Storage Autoscaling Events Using Amazon EventBridgeAmazon RDS emits events when storage autoscaling occurs. To visualize these events in a CloudWatch dashboard, you can create an EventBridge rule that listens for these specific autoscaling events.

Action: Create an EventBridge rule that reacts to RDS storage autoscaling events from the RDS event stream.

Why: EventBridge allows you to listen to RDS events and route them to specific AWS services for processing.

Step 2: Creating a Custom CloudWatch Metric via LambdaOnce the EventBridge rule detects a storage autoscaling event, you can use a Lambda function to publish a custom metric to CloudWatch. This metric can then be visualized in a CloudWatch dashboard.

Action: Use a Lambda function to publish custom metrics to CloudWatch based on the RDS storage autoscaling events.

Why: Custom metrics allow you to track specific events like autoscaling and visualize them easily on a CloudWatch dashboard.

Mounting EFS to EC2-backed EKS nodes requires:

NFS (port 2049) open from nodes to EFS (Security Group rule).

Mount targets in each subnet/AZ where nodes reside.

IAM role for the EFS CSI driver with elasticfilesystem:ClientMount and ClientRootAccess permissions. These are the standard setup requirements in “Using the Amazon EFS CSI Driver with Amazon EKS.”