DOP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

The correct solution is to add a report group in the AWS CodeBuild project buildspec file with the appropriate path and format for the reports. Then, create an Amazon S3 bucket to store the reports. You should configure an Amazon EventBridge rule that invokes an AWS Lambda function to copy the reports to the S3 bucket when a build is completed. Finally, create an S3 Lifecycle rule to expire the objects after 90 days. This approach allows for the automated transfer of reports to long-term storage and ensures they are retained for the required duration without manual intervention1.

AWS CodeBuild User Guide on test reporting1.

AWS CodeBuild User Guide on working with report groups2.

AWS Documentation on using AWS CodePipeline with AWS CodeBuild3.

The security team’s requirements emphasize governance, approval control, versioning, and automation with minimal operational overhead. AWS Control Tower natively supports guardrail enablement through the AWS::ControlTower::EnableControl CloudFormation resource, which can target entire organizational units. Managing these resources as CloudFormation templates stored in a Git repository provides built-in version control, change review, and rollback capabilities through standard Git workflows.

Option C implements a GitOps-style approach. Each guardrail is defined declaratively in CloudFormation, scoped at the OU level, ensuring consistent enforcement across all accounts in that OU. Storing the templates in a CodeConnections-compatible Git repository allows the security team to review, approve, and audit changes through pull requests. By configuring AWS CodePipeline in the security team’s account and triggering it automatically via an Amazon EventBridge rule on repository merges, only approved changes are deployed. This ensures that new guardrails are enabled only after explicit approval and that the deployment process is fully automated.

Option A lacks pipeline orchestration and approval workflows. Option B requires manual pipeline invocation and per-account configuration, increasing operational overhead. Option D relies on S3 as the source of truth, which lacks native version control and approval mechanisms compared to Git.

Therefore, Option C provides the most operationally efficient, secure, and auditable solution aligned with AWS Control Tower automation best practices.

The correct answer is D. Creating an AWS Config conformance pack that contains the AWS Config rules and remediation actions and deploying it from the delegated administrator account by using AWS Config will meet the requirements. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a region or across an organization in AWS Organizations1. By using the delegated administrator account, the DevOps engineer can centrally manage the conformance pack and prevent non-administrator users from modifying it in the member accounts. Option A is incorrect because creating a CloudFormation template that contains the AWS Config rules and remediation actions and deploying it from the Organizations management account by using CloudFormation StackSets will not prevent non-administrator users from modifying the AWS Config rules in the member accounts. Option B is incorrect because deploying the conformance pack from the Organizations management account by using CloudFormation StackSets will not use the trusted access feature of AWS Config and will require additional permissions and resources. Option C is incorrect because creating a CloudFormation template that contains the AWS Config rules and remediation actions and deploying it from the delegated administrator account by using AWS Config will not leverage the benefits of conformance packs, such as simplified deployment and management. References:

Conformance Packs - AWS Config

Certified DevOps Engineer - Professional (DOP-C02) Study Guide (page 176)

When using the awslogs log driver with ECS on EC2, the ECS agent running on the container instance uses the instance’s IAM role (container instance role or task execution role, depending on configuration) to write logs to CloudWatch Logs. The policy already grants logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents, which are the required CloudWatch Logs actions. However, for the role to be usable by ECS, the role’s trust policy must allow the appropriate service principal to assume it.

In this question, the error message indicates “missing permission” during ECS task deployment. If the IAM role is not trusted by the ECS service (for example, ecs-tasks.amazonaws.com for a task execution role or the proper principal for container instances), ECS cannot assume that role and therefore cannot use the granted CloudWatch permissions, causing deployment failures.

Option A addresses this by adding a trust relationship so that Amazon ECS can assume the IAM role. Options B and C mutate the permissions but do not fix the underlying problem: the missing trust. Option D incorrectly attempts to trust CloudWatch, which does not assume roles in this context.

Thus, adding a trust policy that establishes ECS as a trusted service is the correct fix.

To meet the requirements of migrating its on-premises Windows and Linux applications to AWS and creating a pilot light DR environment in another AWS Region, the company should use Amazon FSx for NetApp ONTAP for the application storage. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, high-performing, and feature-rich file storage built on NetApp’s popular ONTAP file system. FSx for ONTAP supports multiple protocols, including SMB for Windows and NFS for Linux, so the company can access the shared storage from both types of applications. FSx for ONTAP also supports NetApp SnapMirror replication, which enables the company to replicate the storage to the DR Region. NetApp SnapMirror replication is efficient, secure, and incremental, and it preserves the data deduplication and compression benefits of FSx for ONTAP. The company can use automation to launch and configure the EC2 instances in the DR Region and then use NetApp SnapMirror to restore the data from the primary Region.

The other options are not correct because they do not meet the requirements or follow best practices. Using Amazon S3 for the application storage is not a good option because S3 is an object storage service that does not support SMB or NFS protocols natively. The company would need to use additional services or software to mount S3 buckets as file systems, which would add complexity and cost. Using Amazon EBS for the application storage is also not a good option because EBS is a block storage service that does not support SMB or NFS protocols natively. The company would need to set up and manage file servers on EC2 instances to provide shared access to the EBS volumes, which would add overhead and maintenance. Using a Volume Gateway in AWS Storage Gateway for the application storage is not a valid option because Volume Gateway does not support SMB protocol. Volume Gateway only supports iSCSI protocol, which means that only Linux applications can access the shared storage.

1: What is Amazon FSx for NetApp ONTAP? - FSx for ONTAP

2: Amazon FSx for NetApp ONTAP

3: Amazon FSx for NetApp ONTAP | NetApp

4: AWS Announces General Availability of Amazon FSx for NetApp ONTAP

Replicating Data with NetApp SnapMirror - FSx for ONTAP

What Is Amazon S3? - Amazon Simple Storage Service

What Is Amazon Elastic Block Store (Amazon EBS)? - Amazon Elastic Compute Cloud

What Is AWS Storage Gateway? - AWS Storage Gateway

These are the possible causes for the AccessDenied error because they affect the permissions to access the S3 object from the EC2 instance. An S3 bucket policy is a resource-based policy that defines who can access the bucket and its objects, and what actions they can perform. An IAM role is an identity that can be assumed by an EC2 instance to grant it permissions to access AWS services and resources. If there is an error in the S3 bucket policy or the IAM role configuration, such as a missing or incorrect statement, condition, or principal, then the EC2 instance may not have the necessary permissions to download the object from the S3 bucket .

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

RDS Multi-AZ cluster deployments with cross-Region read replicas support near real-time replication (<1 min RPO) and fast promotion (<10 min RTO). Route 53 CNAME failover redirects application traffic automatically. This is the AWS-recommended DR pattern.

To achieve multi-Region high availability for a serverless API-based application, the architecture must be duplicated in the second Region and supported by a multi-Region data layer and appropriate DNS routing. Option A provides the required multi-Region data layer using DynamoDB global tables, which replicate data automatically and asynchronously between Regions. This allows reads and writes in either Region and prevents cross-Region latency bottlenecks.

Option C ensures that the compute components—API Gateway REST API and AWS Lambda functions—are deployed in both Regions. Each Region operates independently, providing true active-active redundancy and allowing Route 53 to route traffic directly to either Region without dependency on the other.

Option E selects Route 53 latency-based routing, which directs each user to the Region with the lowest round-trip latency. This meets the requirement to route traffic based on the Region providing the best response time rather than only providing active-passive failover.

Option D (failover routing) supports active-standby topologies, not active-active. Option B creates a global secondary index, which does not provide multi-Region replication. Option F (multivalue routing) distributes traffic randomly and does not account for latency or Region placement.

Thus, combining DynamoDB global tables, duplicated serverless architecture, and latency-based routing fully satisfies the requirements.

Amazon EC2 Image Builder is a service that automates the creation, management, and deployment of customized, secure, and up-to-date server images that are pre-installed with software and configuration settings tailored to meet specific IT standards. EC2 Image Builder simplifies the creation and maintenance of golden images, and makes it easy to generate images for multiple platforms, such as Amazon EC2 and on-premises. EC2 Image Builder also integrates with AWS Resource Access Manager, which allows you to share your images across accounts within your organization or with external AWS accounts. This solution meets the requirements of automating the tasks of updating the Linux AMIs, installing the Chef agent, and providing the images to the department’s accounts with the least management overhead. References:

Amazon EC2 Image Builder

Sharing EC2 Image Builder images

Option A is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring automatic rollbacks on the deployment group is not operationally efficient, as it requires manual intervention to fix the errors and redeploy the application.

Option B is correct because setting the deployment configuration to LambdaCanary10Percent10Minutes means that the new version of the application will be deployed to 10 percent of the Lambda functions first, and then to the remaining 90 percent after 10 minutes. This minimizes the impact of errors on customers, as only 10 percent of them will be affected by a faulty deployment. Configuring automatic rollbacks on the deployment group also meets the requirement of reverting to the most recent stable version of the application when an error is detected. Creating a CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway is a valid way to monitor the health of the application and trigger a rollback if needed.

Option C is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating an SNS topic to send notifications every time a deployment fails is not sufficient to detect errors in the application, as it does not monitor the API Gateway responses.

Option D is incorrect because configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating a metric filter on a CloudWatch log group for API Gateway to monitor HTTP Bad Gateway errors is a valid way to monitor the health of the application, but invoking a new Lambda function to perform a rollback is unnecessary and complex, as CodeDeploy already provides automatic rollback functionality.