DOP-C02 AWS Certified DevOps Engineer - Professional Questions and Answers

The correct answer is D. Creating an AWS Config conformance pack that contains the AWS Config rules and remediation actions and deploying it from the delegated administrator account by using AWS Config will meet the requirements. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a region or across an organization in AWS Organizations1. By using the delegated administrator account, the DevOps engineer can centrally manage the conformance pack and prevent non-administrator users from modifying it in the member accounts. Option A is incorrect because creating a CloudFormation template that contains the AWS Config rules and remediation actions and deploying it from the Organizations management account by using CloudFormation StackSets will not prevent non-administrator users from modifying the AWS Config rules in the member accounts. Option B is incorrect because deploying the conformance pack from the Organizations management account by using CloudFormation StackSets will not use the trusted access feature of AWS Config and will require additional permissions and resources. Option C is incorrect because creating a CloudFormation template that contains the AWS Config rules and remediation actions and deploying it from the delegated administrator account by using AWS Config will not leverage the benefits of conformance packs, such as simplified deployment and management. References:

Conformance Packs - AWS Config

Certified DevOps Engineer - Professional (DOP-C02) Study Guide (page 176)

The requirement specifies enforcing encryption before CloudFormation creates or updates resources. This is key because preventive enforcement must occur during the provisioning workflow, not after resources already exist. AWS provides CloudFormation Hooks specifically for this purpose. A Hook allows an organization to intercept a CloudFormation stack operation and validate resource configurations before provisioning occurs. This feature is recommended by AWS for pre-deployment governance such as enforcing encryption policies, tag compliance, or security restrictions.

By enabling trusted access between CloudFormation StackSets and AWS Organizations, the Hook can be deployed centrally from the delegated administrator account across all accounts in the specified OU. Any attempt to create or update EBS volumes or SQS queues through CloudFormation is validated first by the Hook. If encryption is not configured, the operation fails immediately.

Option C (SCP) blocks API calls globally, but SCPs cannot perform conditional logic based on resource properties passed by CloudFormation prior to creation. Option B (AWS Config) detects violations after resources already exist, which does not satisfy “before stack operation.” Option D (Lambda remediation) also occurs after the resource is created.

Thus, CloudFormation Hooks distributed via StackSets provide the only solution that enforces compliance before the provisioning lifecycle

ECS container instances must have an IAM role that trusts ECS (the ecs-tasks.amazonaws.com principal) to assume permissions for CloudWatch logging. Without this trust relationship, ECS cannot push logs even if the permissions are present.

The requirement is to immediately detect and terminate EC2 instances involved in cryptocurrency mining with the least development effort. Amazon GuardDuty is the AWS-native service specifically designed to detect malicious activities such as crypto-mining by continuously analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty includes managed threat intelligence and predefined findings like CryptoCurrency:EC2/BitcoinTool.B!DNS and CryptoCurrency:EC2/BitcoinTool.B!IP, which directly identify mining behavior without custom detection logic.

Option C leverages this built-in capability. Once GuardDuty is enabled, findings are automatically generated when mining activity is detected. These findings are sent to Amazon EventBridge in near real time. An EventBridge rule can filter for cryptocurrency-related findings and trigger an AWS Lambda function . The Lambda function can then identify the affected EC2 instance and terminate it or adjust the Auto Scaling group to replace it. This approach requires minimal custom code and no log parsing, scheduled jobs, or analytics pipelines.

Options A and B rely on custom log analysis, periodic execution, and maintaining lists of mining domains or IPs, which significantly increases complexity and response time. Option D uses AWS Security Hub, which aggregates findings from GuardDuty and other services but is not intended for immediate, low-latency remediation.

Therefore, Option C provides the fastest detection, immediate response, and lowest development overhead using AWS-managed threat detection services.

https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html

AWS doc: " To specify parallel actions, use the same integer for each action you want to run in parallel. For example, if you want three actions to run in sequence in a stage, you would give the first action the runOrder value of 1, the second action the runOrder value of 2, and the third the runOrder value of 3. However, if you want the second and third actions to run in parallel, you would give the first action the runOrder value of 1 and both the second and third actions the runOrder value of 2. "

When using the awslogs log driver with Amazon ECS on EC2, CloudWatch Logs permissions must be granted to the ECS container instance IAM role , not the task definition or infrastructure role. The ECS agent running on the EC2 instances is responsible for creating log streams and pushing log events to Amazon CloudWatch Logs on behalf of the containers.

In this scenario, the task definition is correctly configured to automatically create the log group (awslogs-create-group: true) and send logs to the specified Region. However, the error occurs because the EC2 container instances do not have sufficient IAM permissions to perform the required CloudWatch Logs API calls. As a result, ECS cannot place the task, and it reports that no container instance meets the requirements.

According to AWS documentation, the container instance IAM role must include the following permissions when using the awslogs driver:

logs:CreateLogStream

logs:PutLogEvents

(and, when creating log groups automatically) logs:CreateLogGroup

Option C correctly addresses the root cause by updating the container instance IAM role . Option A is incorrect because the ECS infrastructure or service role is not used to write logs. Option B is unrelated to permissions and does not resolve the issue. Option D would fail because the log group does not already exist, causing task startup to fail.

Therefore, modifying the container instance IAM role is the correct solution.

Amazon CloudWatch Logs now supports data protection policies that can mask sensitive data in logs at ingestion time using custom data identifiers. By creating a custom data identifier matching the employee ID pattern (Emp-\d{6}), the administrator can mask those patterns in new log entries automatically.

Assigning an IAM policy that denies the logs:Unmask action to engineers prevents them from seeing unmasked sensitive data, enforcing least privilege access.

This approach is operationally efficient because it uses built-in CloudWatch Logs data protection capabilities without the need for complex custom code or manual log filtering.

Option C requires writing and managing Lambda functions for log transformation, increasing operational overhead. Option D is more complex and reactive rather than preventing the sensitive data exposure. Option B incorrectly references NotAction and managed identifiers that may not match the custom pattern.

The most cost-effective solution to meet the RTO and RPO requirements is option B. This option involves copying the CloudFormation templates to an Amazon S3 bucket in the DR Region, configuring Aurora automated backup Cross-Region Replication, and configuring ECR Cross-Region Replication. In the event of a disaster, the CloudFormation template with the most recent Aurora snapshot and the Docker image from the local ECR repository can be used to launch a new CloudFormation stack in the DR Region. This approach avoids the need to build Docker images from the Dockerfile, which can sometimes take more than 2 hours, thus meeting the RTO requirement. Additionally, the use of automated backups and replication ensures that the RPO of 8 hours is met.

AWS Documentation on Disaster Recovery: Plan for Disaster Recovery (DR) - Reliability Pillar

AWS Blog on Establishing RPO and RTO Targets: Establishing RPO and RTO Targets for Cloud Applications

AWS Documentation on ECR Cross-Region Replication: Amazon ECR Cross-Region Replication

AWS Documentation on Aurora Cross-Region Replication: Replicating Amazon Aurora DB Clusters Across AWS Regions

Installing the CloudWatch agent and instrumenting the application to push custom metrics to the agent is the easiest and lowest overhead method.

Prometheus (B) adds operational complexity.

Lambda polling (C) introduces unnecessary complexity and latency.

Using Logs Insights (D) requires extracting metrics from logs, which is less efficient.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

The correct answer is B because AWS Config can continuously evaluate the account-level S3 Block Public Access configuration by using a managed rule. When the configuration becomes noncompliant, AWS Config can trigger automatic remediation through an AWS Systems Manager Automation runbook to restore the required settings.

This solution directly satisfies both requirements:

Detect changes to account-level S3 public access settings.

Automatically revert those changes so that all public access is blocked again.

Why the other options are incorrect:

A. Security Hub is primarily for aggregated security findings and controls visibility. It is not the most direct or standard service for continuous configuration evaluation with automatic remediation of this specific setting.

C. An SCP can restrict permissions, but it does not automatically detect and revert changes to S3 Block Public Access settings.

D. Amazon Macie is for discovering and protecting sensitive data, not for continuously enforcing and remediating S3 Block Public Access account settings.

To meet the requirements of migrating its on-premises Windows and Linux applications to AWS and creating a pilot light DR environment in another AWS Region, the company should use Amazon FSx for NetApp ONTAP for the application storage. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, high-performing, and feature-rich file storage built on NetApp’s popular ONTAP file system. FSx for ONTAP supports multiple protocols, including SMB for Windows and NFS for Linux, so the company can access the shared storage from both types of applications. FSx for ONTAP also supports NetApp SnapMirror replication, which enables the company to replicate the storage to the DR Region. NetApp SnapMirror replication is efficient, secure, and incremental, and it preserves the data deduplication and compression benefits of FSx for ONTAP. The company can use automation to launch and configure the EC2 instances in the DR Region and then use NetApp SnapMirror to restore the data from the primary Region.

The other options are not correct because they do not meet the requirements or follow best practices. Using Amazon S3 for the application storage is not a good option because S3 is an object storage service that does not support SMB or NFS protocols natively. The company would need to use additional services or software to mount S3 buckets as file systems, which would add complexity and cost. Using Amazon EBS for the application storage is also not a good option because EBS is a block storage service that does not support SMB or NFS protocols natively. The company would need to set up and manage file servers on EC2 instances to provide shared access to the EBS volumes, which would add overhead and maintenance. Using a Volume Gateway in AWS Storage Gateway for the application storage is not a valid option because Volume Gateway does not support SMB protocol. Volume Gateway only supports iSCSI protocol, which means that only Linux applications can access the shared storage.

1: What is Amazon FSx for NetApp ONTAP? - FSx for ONTAP

2: Amazon FSx for NetApp ONTAP

3: Amazon FSx for NetApp ONTAP | NetApp

4: AWS Announces General Availability of Amazon FSx for NetApp ONTAP

Replicating Data with NetApp SnapMirror - FSx for ONTAP

What Is Amazon S3? - Amazon Simple Storage Service

What Is Amazon Elastic Block Store (Amazon EBS)? - Amazon Elastic Compute Cloud

What Is AWS Storage Gateway? - AWS Storage Gateway

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-logging-monitoring.html

https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-steps.html

 Use AWS Step Functions to Orchestrate Processing:

AWS Step Functions allow you to build distributed applications by combining AWS Lambda functions or other AWS services into workflows.

Decoupling the processing into Step Functions tasks enables you to retry individual steps without reprocessing the entire record.

 Architectural Steps:

Create a web application to pass records to AWS Step Functions:

The web application can be a simple frontend that receives input and triggers the Step Functions workflow.

Define a Step Functions state machine:

Each step in the state machine represents a processing stage. If a step fails, Step Functions can retry the step based on defined conditions.

Use AWS Lambda functions:

Lambda functions can be used to handle each processing step. These functions can be stateless and handle specific tasks, reducing the complexity of error handling and reprocessing logic.

 Operational Efficiency:

Using Step Functions and Lambda improves operational efficiency by providing built-in error handling, retries, and state management.

This architecture scales automatically and isolates failures to individual steps, ensuring only failed steps are retried.

Deployment of config.txt file based on the appspec.yml:

The appspec.yml file specifies that config/config.txt should be copied to /usr/local/src/config.txt.

The source: / directive in the appspec.yml indicates that the entire directory structure starting from the root of the application source should be copied to the specified destination, which is /var/www/html.

Result of the Deployment:

The config.txt file will be specifically deployed to /usr/local/src/config.txt as per the explicit file mapping.

The entire directory structure including application/web will be copied to /var/www/html, but this does not include config/config.txt since it has a specific destination defined.

Thus, the config.txt file will be deployed only to /usr/local/src/config.txt.

Therefore, the correct answer is:

C. The config.txt file will be deployed to only /usr/local/src/config.txt.

To restrict access to CloudFront to a specific IP address range:

Create an AWS WAF IP address set with the corporate office IPs.

Modify the existing WebACL ' s default action to Block (deny all except explicitly allowed).

Add a high-priority rule that allows traffic from the IP address set (the corporate IPs). This way, only requests from the corporate IPs are allowed; all others are blocked. Regex pattern sets are not necessary for IP-based restrictions and add complexity. Setting default action to Allow with exceptions is less secure and more complex to manage.

Option A is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring automatic rollbacks on the deployment group is not operationally efficient, as it requires manual intervention to fix the errors and redeploy the application.

Option B is correct because setting the deployment configuration to LambdaCanary10Percent10Minutes means that the new version of the application will be deployed to 10 percent of the Lambda functions first, and then to the remaining 90 percent after 10 minutes. This minimizes the impact of errors on customers, as only 10 percent of them will be affected by a faulty deployment. Configuring automatic rollbacks on the deployment group also meets the requirement of reverting to the most recent stable version of the application when an error is detected. Creating a CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway is a valid way to monitor the health of the application and trigger a rollback if needed.

Option C is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating an SNS topic to send notifications every time a deployment fails is not sufficient to detect errors in the application, as it does not monitor the API Gateway responses.

Option D is incorrect because configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating a metric filter on a CloudWatch log group for API Gateway to monitor HTTP Bad Gateway errors is a valid way to monitor the health of the application, but invoking a new Lambda function to perform a rollback is unnecessary and complex, as CodeDeploy already provides automatic rollback functionality.

Amazon CloudWatch metric streams are designed to deliver metrics in near real time to downstream services like Amazon Data Firehose with minimal configuration and management overhead. By configuring a metric stream to include all metrics , you ensure that any newly created performance or custom metrics are automatically included without needing to update filters or code when namespaces or metrics change.

Option B uses a CloudWatch metric stream → Firehose → Lambda → S3 pattern. Firehose natively supports invoking a Lambda function for in-flight transformation of the metric data before final delivery to S3. This satisfies the requirement to transform metrics before storing them and provides a fully managed, serverless pipeline with very little ongoing operational burden.

Option A mentions including metrics from “the application and the CloudWatch namespace,” which implies more manual selection and maintenance, potentially missing new metrics if not explicitly added. Options C and D work at the log level, not at the metric level, and would require building additional logic to derive metrics from logs. This is more complex and not aligned with “least operational overhead.”

Therefore, Option B is the most efficient and scalable solution.

Amazon CloudWatch metric filters are the least-overhead method for converting log data into actionable metrics and alarms. By defining a metric filter on the CloudWatch Logs log group with a regex pattern that matches external system error log entries, CloudWatch automatically increments a custom metric each time a matching event appears. A CloudWatch alarm configured with a period of 5 minutes and a threshold of 10 will trigger and publish directly to the SNS topic without requiring any additional compute resources. Option B adds an unnecessary Lambda invocation between the alarm and the SNS notification. Option C uses anomaly detection, which is probabilistic and not suited for a hard threshold requirement. Option D requires a subscription filter plus a Lambda function to publish the custom metric, which introduces additional components, Lambda costs, and higher operational complexity than a native metric filter.

================

The requirements clearly indicate the need for modern CodePipeline capabilities , strict execution ordering, Git tag–based triggers, and loose coupling between pipelines. CodePipeline V2 introduces execution modes such as QUEUED and SUPERSEDED , along with native support for advanced trigger filtering when using AWS CodeConnections.

The requirement that the pipeline must wait for the previous run to finish directly maps to QUEUED mode , which ensures that pipeline executions run sequentially rather than replacing in-progress executions. SUPERSEDED mode would cancel the running execution, which violates the requirement.

Triggering the pipeline when new Git tags are pushed is supported through CodePipeline V2 trigger filters using refs/tags/*. Branch-based triggers would not satisfy this condition.

Finally, the requirement that an existing deployment pipeline runs in response to new container images is best met using Amazon EventBridge , which natively emits events for ECR image push actions . EventBridge allows decoupled, event-driven orchestration between pipelines without tight dependencies or custom scripting. This is the AWS-recommended approach for pipeline-to-pipeline coordination.

Options C and D rely on CodePipeline V1 , which lacks modern trigger filtering and execution control. Option B incorrectly uses SUPERSEDED mode and branch-based triggers.

Therefore, Option A correctly combines CodePipeline V2 , QUEUED execution mode , tag-based triggers , and EventBridge-driven pipeline chaining , meeting all requirements with best practices and minimal operational complexity.

Step 1: Using AWS CloudFormation with ECS Blue/Green Deployments

The requirement is to implement an ECS blue/green deployment where traffic is shifted gradually. AWS CodeDeploy supports such blue/green deployments with predefined configurations, like ECSLinear10PercentEvery1Minute, which shifts 10% of traffic every minute.

Action: Use the AWS::CodeDeployBlueGreen transform and the appropriate hooks in the CloudFormation template. The ECSLinear10PercentEvery1Minute deployment configuration meets the requirement of shifting 10% of traffic every minute.

Why: The transform and hook parameters in CloudFormation are essential for configuring the blue/green deployment with the desired traffic-shifting behavior.

The CloudFormation IaC generator can reverse-engineer existing resources (partial scan) into infrastructure as code. Filtering by Lambda type creates CDK-ready constructs with minimal manual work. AWS recommends this method for IaC onboarding of existing workloads.

The latency in processing and ingesting logs can be caused by several factors, such as the throughput of the Kinesis data stream, the concurrency of the Lambda function, and the configuration of the event source mapping. To reduce the latency, the following steps can be taken:

Create a data stream consumer with enhanced fan-out. Set the Lambda function that processes the logs as the consumer. This will allow the Lambda function to receive records from the data stream with dedicated throughput of up to 2 MB per second per shard, independent of other consumers1. This will reduce the contention and delay in accessing the data stream.

Increase the ParallelizationFactor setting in the Lambda event source mapping. This will allow the Lambda service to invoke more instances of the function concurrently to process the records from the data stream2. This will increase the processing capacity and reduce the backlog of records in the data stream.

Configure reserved concurrency for the Lambda function that processes the logs. This will ensure that the function has enough concurrency available to handle the increased load from the data stream3. This will prevent the function from being throttled by the account-level concurrency limit.

The other options are not effective or may have negative impacts on the latency. Option D is not suitable because increasing the batch size in the Kinesis data stream will increase the amount of data that the Lambda function has to process in each invocation, which may increase the execution time and latency4. Option E is not advisable because turning off the ReportBatchItemFailures setting in the Lambda event source mapping will prevent the Lambda service from retrying the failed records, which may result in data loss. Option F is not necessary because increasing the number of shards in the Kinesis data stream will increase the throughput of the data stream, but it will not affect the processing speed of the Lambda function, which is the bottleneck in this scenario.

1: Using AWS Lambda with Amazon Kinesis Data Streams - AWS Lambda

2: AWS Lambda event source mappings - AWS Lambda

3: Managing concurrency for a Lambda function - AWS Lambda

4: AWS Lambda function scaling - AWS Lambda

AWS Lambda event source mappings - AWS Lambda

Scaling Amazon Kinesis Data Streams with AWS CloudFormation - Amazon Kinesis Data Streams

These are the possible causes for the AccessDenied error because they affect the permissions to access the S3 object from the EC2 instance. An S3 bucket policy is a resource-based policy that defines who can access the bucket and its objects, and what actions they can perform. An IAM role is an identity that can be assumed by an EC2 instance to grant it permissions to access AWS services and resources. If there is an error in the S3 bucket policy or the IAM role configuration, such as a missing or incorrect statement, condition, or principal, then the EC2 instance may not have the necessary permissions to download the object from the S3 bucket .

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Action-level states in events

Action state Description

STARTED The action is currently running.

SUCCEEDED The action was completed successfully.

FAILED For Approval actions, the FAILED state means the action was either rejected by the reviewer or failed due to an incorrect action configuration.

CANCELED The action was canceled because the pipeline structure was updated.

AWS Device Farm provides a fully managed environment for automated and manual app testing across real physical devices. It integrates directly with AWS CodePipeline and automatically scales based on test concurrency. AWS documentation recommends Device Farm for mobile app testing due to its scalability and zero infrastructure management.

Option A best matches the requirement in the simplest, most direct way:

Systems Manager State Manager is designed to apply and maintain a desired state on managed instances by running associations on a schedule or continuously across targets (for example, “all managed nodes”).

By using a Systems Manager document in the association that installs the antivirus package (and can be written to be idempotent: “install only if not present”), State Manager both detects drift (software missing) and remediates it automatically by reapplying the desired configuration.

This approach automatically covers all instances that are managed by Systems Manager (which is typically the standard requirement for fleet management on Amazon Linux).

Why the others are more overhead or not as direct:

B can work, but it requires building and operating a custom Config rule plus remediation wiring. That’s more components and maintenance than State Manager for a straightforward “ensure software is installed” task.

C Amazon Inspector is a vulnerability management service; it’s not the primary tool for “ensure a specific software package is installed everywhere” and “remediate via SSM doc” as a desired-state control.

D only detects new instances at launch time via CloudTrail RunInstances, and then you still need Inventory correlation logic. It’s more complex and can miss already-running instances unless additional logic is added.

A- https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent.html D - This option correctly utilizes AWS CodePipeline to invoke the CodeBuild job and create CloudFormation change sets. It adds a manual approval step before executing the change sets and starting the AWS CodeDeploy deployment. This ensures that the deployment process is automated while retaining the final manual approval step.

Even if AmazonSSMManagedlnstanceCore is a managed policy and not an IAM role I will go with C because this policy is to be attached to an IAM role for EC2 to access System Manager.

To validate AWS CDK-defined infrastructure, use CDK Assertions (assertions module) to test synthesized CloudFormation templates (e.g., template.hasResourceProperties). Integrate testing into CodeBuild buildspec before deployment, setting OnFailure: ABORT so the pipeline halts if tests fail. This ensures safe continuous delivery following AWS CDK testing best practices.

To meet the requirements of deploying a workload on several hundred EC2 instances with least-privilege permissions and temporary security credentials, the company should use an IAM role and an instance profile. An IAM role is a way to grant permissions to an entity that you trust, such as an EC2 instance. An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. By using an IAM role and an instance profile, the EC2 instances can automatically receive temporary security credentials from the AWS Security Token Service (STS) and use them to access the S3 buckets. This way, the company does not need to manage or rotate any long-term credentials, such as IAM users or access keys.

To use an IAM role and an instance profile, the company should create an IAM role that has the appropriate permissions for S3 buckets. The permissions should allow the EC2 instances to read from the source S3 bucket and write to the destination S3 bucket. The company should also create a trust policy for the IAM role that specifies that EC2 is allowed to assume the role. Then, the company should add the IAM role to an instance profile. An instance profile can have only one IAM role, so the company does not need to create multiple roles or profiles for this scenario.

Next, the company should update the launch template to include the IAM instance profile. A launch template is a way to save launch parameters for EC2 instances, such as the instance type, security group, user data, and IAM instance profile. By using a launch template, the company can ensure that all EC2 instances in the Auto Scaling group have consistent configuration and permissions. The company should specify the name or ARN of the IAM instance profile in the launch template. This way, when the Auto Scaling group launches new EC2 instances based on the launch template, they will automatically receive the IAM role and its permissions through the instance profile.

The other options are not correct because they do not meet the requirements or follow best practices. Creating an IAM user and generating a secret key and token is not a good option because it involves managing long-term credentials that need to be rotated regularly. Moreover, embedding credentials in user data is not secure because user data is visible to anyone who can describe the EC2 instance. Creating a trust anchor and profile is not a valid option because trust anchors are used for certificate-based authentication, not for IAM roles or instance profiles. Modifying user data to use a new secret key and token is also not a good option because it requires updating user data every time the credentials change, which is not scalable or efficient.

1: AWS Certified DevOps Engineer - Professional Certification | AWS Certification | AWS

2: DevOps Resources - Amazon Web Services (AWS)

3: Exam Readiness: AWS Certified DevOps Engineer - Professional

IAM Roles for Amazon EC2 - AWS Identity and Access Management

Working with Instance Profiles - AWS Identity and Access Management

Launching an Instance Using a Launch Template - Amazon Elastic Compute Cloud

Temporary Security Credentials - AWS Identity and Access Management

Canary deployments gradually shift traffic (10% at first), enabling monitoring before full rollout.

Monitoring TargetResponseTime aligns with detecting increased latency, a key issue reported.

Alarms tied to the deployment group trigger automatic rollback on threshold breach.

UnHealthyHostCount and TargetConnectionErrorCount are less specific to response time issues.

Linear deployment is valid but canary is preferred for quick detection.

The core problem described is deployment inconsistency and lack of reliability caused by using AWS Systems Manager Run Command for application deployment. Run Command executes ad hoc commands and does not provide deployment orchestration, version tracking, lifecycle hooks, or health-based traffic control, which commonly leads to drift between EC2 instances.

The most reliable AWS-native solution is to adopt AWS CodePipeline combined with AWS CodeDeploy . Option B introduces a structured CI/CD pipeline with a clear build stage followed by a test stage , ensuring that only tested artifacts progress to deployment. Sequential build and test stages are preferred for reliability and deterministic behavior, especially when test results must gate deployments.

Option C is essential because AWS CodeDeploy is the service specifically designed to deploy application revisions consistently across EC2 fleets. By creating a CodeDeploy application and deployment group and integrating it with the ALB, deployments gain support for lifecycle events, health checks, instance synchronization, and automatic rollback. This ensures that all EC2 instances receive the same application version and that traffic is managed safely during deployments.

Option A introduces unnecessary parallelism that does not address the core issue. Option D adds excessive complexity with Lambda orchestration. Option E incorrectly replaces CodeArtifact with S3 without addressing deployment reliability.

Therefore, combining CodePipeline (B) with CodeDeploy and ALB integration (C) provides consistent, repeatable, and reliable deployments aligned with AWS best practices.

To meet the new guideline for application deployment, the company can use a combination of AWS CodePipeline and AWS CloudTrail. A manual approval action in CodePipeline allows the security team to review and approve changes before they are deployed. This action can be configured to pause the pipeline until approval is granted, ensuring that no changes move to production without the necessary sign-off. Additionally, by creating an AWS CloudTrail trail, all actions taken within CodePipeline, including approvals, are recorded and delivered to an Amazon S3 bucket. This provides an audit trail that can be retained for compliance and review purposes.

AWS CodePipeline’s manual approval action provides a way to ensure that a member of the security team can review and approve changes before they are deployed1.

AWS CloudTrail integration with CodePipeline allows for the recording and retention of all pipeline actions, including approvals, which can be stored in Amazon S3 for record-keeping2.

" The firewall appliance sends logs to Amazon CloudWatch Logs and includes event severities of CRITICAL, HIGH, MEDIUM, LOW, and INFO "

This solution will meet the requirements because it will use a CloudFormation custom resource to execute custom logic during the stack set operation. A custom resource is a resource that you define in your template and that is associated with an AWS Lambda function. The Lambda function runs whenever the custom resource is created, updated, or deleted, and can perform any actions that are supported by the AWS SDK. In this case, the Lambda function can use the GuardDuty API to check whether GuardDuty is already enabled in each target account, and if not, enable it. This way, the DevOps engineer can avoid deploying the stack set to accounts that already have GuardDuty enabled, and prevent failure during the deployment.

https://aws.amazon.com/blogs/mt/aws-config-auto-remediation-s3-compliance/ https://aws.amazon.com/blogs/aws/aws-config-rules-dynamic-compliance-checking-for-cloud-resources/

The solution that meets the requirements is to use EC2 Image Builder to create a container image pipeline, use Amazon ECR as the target repository, turn on enhanced scanning on the ECR repository, create an Amazon EventBridge rule to capture an Inspector2 finding event, and use the event to invoke the image pipeline. Re-upload the container to the repository.

This solution will continuously monitor the container repository for vulnerabilities using enhanced scanning, which is a feature of Amazon ECR that provides detailed information and guidance on how to fix security issues found in your container images. Enhanced scanning uses Inspector2, a security assessment service that integrates with Amazon ECR and generates findings for any vulnerabilities detected in your images. You can use Amazon EventBridge to create a rule that triggers an action when an Inspector2 finding event occurs. The action can be to invoke an EC2 Image Builder pipeline, which is a service that automates the creation of container images. The pipeline can use the latest patches and updates to build a new container image and upload it to the same ECR repository, replacing the vulnerable image.

The other options are not correct because they do not meet all the requirements or use services that are not relevant for the scenario.

Option B is not correct because it uses Amazon GuardDuty Malware Protection, which is a feature of GuardDuty that detects malicious activity and unauthorized behavior on your AWS accounts and resources. GuardDuty does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.

Option C is not correct because it uses basic scanning on the ECR repository, which only provides a summary of the vulnerabilities found in your container images. Basic scanning does not use Inspector2 or generate findings that can be captured by Amazon EventBridge. Moreover, basic scanning does not provide guidance on how to fix the vulnerabilities.

Option D is not correct because it uses AWS Systems Manager Compliance, which is a feature of Systems Manager that helps you monitor and manage the compliance status of your AWS resources based on AWS Config rules and AWS Security Hub standards. Systems Manager Compliance does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.

 Modify the Build Stage to Add a Test Action with a RunOrder Value of 2:

The build stage in AWS CodePipeline can have multiple actions. By adding a test action with a runOrder value of 2, the test action will execute after the initial build action completes.

 Use AWS CodeBuild as the Action Provider to Run Unit Tests:

AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.

Using CodeBuild to run unit tests ensures that the tests are executed in a controlled environment and that only the code changes that pass the unit tests proceed to the deploy stage.

Example configuration in CodePipeline:

{

" name " : " BuildStage " ,

" actions " : [

{

" name " : " Build " ,

" actionTypeId " : {

" category " : " Build " ,

" owner " : " AWS " ,

" provider " : " CodeBuild " ,

" version " : " 1 "

},

" runOrder " : 1

},

{

" name " : " Test " ,

" actionTypeId " : {

" category " : " Test " ,

" owner " : " AWS " ,

" provider " : " CodeBuild " ,

" version " : " 1 "

},

" runOrder " : 2

}

]

}

By integrating the unit tests into the build stage and ensuring they run after the build process, the pipeline guarantees that only code changes passing all unit tests are deployed.

Option A is the most correct because it provides both : (1) automated patching and (2) compliance monitoring/enforcement across a fleet, using AWS-native services built for exactly this purpose.

AWS Systems Manager Patch Manager is designed to automate patching of managed instances using patch baselines , maintenance windows (or on-demand), and it produces compliance status for patching. It’s the standard AWS service to apply OS/security patches at scale without SSH’ing into instances.

AWS Config can be used to evaluate and track compliance over time against defined rules, giving centralized visibility and continuous compliance assessment. With remediation , Config can invoke Systems Manager Automation documents to correct non-compliant resources or trigger patch actions (depending on the rule/remediation design). This meets the “monitor and enforce” requirement.

Why the other options don’t meet requirements as well:

B is manual, doesn’t scale well, and increases operational risk (key management, human error). It’s not “automated monitoring and enforcement.”

C (replacing instances with new AMIs) can be part of an immutable infrastructure strategy, but by itself it does not provide compliance monitoring across the current fleet, and scaling policies based on CloudWatch metrics are unrelated to patch compliance. Also, patch cadence would depend on AMI pipelines and instance rotation rather than direct compliance enforcement.

D is operationally heavy and mismatched: CloudTrail records API activity; it does not natively provide “patch compliance” status for instance OS packages. Recreating instances via CloudFormation for every patch is not an efficient or standard enforcement mechanism for patch compliance.

Enable AWS Config Across the Organization:

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. It can be used to assess, audit, and evaluate the configurations of your resources.

Enabling AWS Config across the organization ensures that all accounts are monitored for compliance.

Create a Conformance Pack Using the approved-amis-by-id AWS Config Managed Rule:

A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed across an organization.

The approved-amis-by-id managed rule checks whether running instances are using approved AMIs.

Deploy the Conformance Pack Across the Organization:

Deploying the conformance pack across the organization ensures that all accounts adhere to the policy of using only approved AMIs.

The conformance pack can be deployed via the AWS Management Console, CLI, or SDKs.

Configure the Rule to Run the AWS-StopEC2Instance AWS Systems Manager Automation Runbook for Non-Compliant EC2 Instances:

The AWS-StopEC2Instance runbook can be configured to automatically stop any EC2 instances that are found to be non-compliant (i.e., not using approved AMIs).

This remediation action ensures that any unauthorized instances are promptly stopped, enforcing the policy without manual intervention.

By following these steps, the solution ensures that all EC2 instances across the organization use approved AMIs, and any non-compliant instances are remediated automatically.

The key requirement is to shift a small percentage of traffic to a new version first to validate changes before rolling out to the entire ECS service, thereby reducing downtime and deployment risk. For ECS services behind an Application Load Balancer, the AWS-recommended and most reliable approach is to use AWS CodeDeploy with blue/green or canary deployments .

Option B directly addresses this requirement. By configuring the ECS service to use CodeDeploy as the deployment controller , CodeDeploy can manage traffic shifting between two ALB target groups: one for the current (stable) version and one for the new version. The CodeDeployDefault.ECSCanary10Percent15Minutes deployment configuration initially routes 10% of production traffic to the new task set, monitors the deployment for issues, and then shifts the remaining traffic after the defined interval. This enables early detection of application errors while limiting user impact.

Option A and C rely on rolling updates , which replace tasks incrementally but do not provide precise traffic control or automated rollback based on health checks. Option D’s slow start setting only affects how quickly targets receive traffic after registration and does not implement true canary testing.

Therefore, using AWS CodeDeploy with ECS canary deployments is the most robust, AWS-supported solution to test changes safely before full rollout.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

To implement a more reliable deployment solution, a DevOps engineer should take the following actions:

Create a pipeline in AWS CodePipeline that uses the CodeCommit repository as a source provider. Configure pipeline stages that run the CodeBuild project in parallel to build and test the application. In the pipeline, pass the CodeBuild project output artifact to an AWS CodeDeploy action. This action will improve the deployment reliability by automating the entire process from code commit to deployment, reducing human errors and inconsistencies. By running the build and test stages in parallel, the pipeline can also speed up the delivery time and provide faster feedback. By using CodeDeploy as the deployment action, the pipeline can leverage the features of CodeDeploy, such as traffic shifting, health checks, rollback, and deployment configuration123

Create an AWS CodeDeploy application and a deployment group to deploy the packaged code to the EC2 instances. Configure the ALB for the deployment group. This action will improve the deployment reliability by using CodeDeploy to orchestrate the deployment across multiple EC2 instances behind an ALB. CodeDeploy can perform blue/green deployments or in-place deployments with traffic shifting, which can minimize downtime and reduce risks. CodeDeploy can also monitor the health of the instances during and after the deployment, and automatically roll back if any issues are detected. By configuring the ALB for the deployment group, CodeDeploy can register and deregister instances from the load balancer as needed, ensuring that only healthy instances receive traffic45

The other options are not correct because they do not improve the deployment reliability or follow best practices. Creating separate pipeline stages that run a CodeBuild project to build and then test the application is not a good option because it will increase the pipeline execution time and delay the feedback loop. Creating individual Lambda functions that use CodeDeploy instead of Systems Manager to run build, test, and deploy actions is not a valid option because it will add unnecessary complexity and cost to the solution. Lambda functions are not designed for long-running tasks such as building or deploying applications. Creating an Amazon S3 bucket and modifying the CodeBuild project to store the packages in the S3 bucket instead of in CodeArtifact is not a necessary option because it will not affect the deployment reliability. CodeArtifact is a secure, scalable, and cost-effective package management service that can store and share software packages for application development67

1: What is AWS CodePipeline? - AWS CodePipeline

2: Create a pipeline in AWS CodePipeline - AWS CodePipeline

3: Deploy an application with AWS CodeDeploy - AWS CodePipeline

4: What is AWS CodeDeploy? - AWS CodeDeploy

5: Configure an Application Load Balancer for your blue/green deployments - AWS CodeDeploy

6: What is AWS Lambda? - AWS Lambda

7: What is AWS CodeArtifact? - AWS CodeArtifact

The Amazon SQS service publishes several standard CloudWatch metrics by default, including ApproximateNumberOfMessagesVisible, which represents the number of messages available for retrieval from the queue (i.e., the number of messages waiting to be processed). This is the primary metric to monitor queue backlog and processing delays.

Using ApproximateNumberOfMessagesVisible to monitor the visible messages in the queue gives a direct and near real-time indication of processing delays or backlog.

CloudWatch metrics are automatically collected and available without the need to create custom metrics or Lambda functions, which increases operational efficiency by reducing complexity and maintenance overhead.

Setting a CloudWatch alarm on this metric with a static threshold and a reasonable evaluation period (such as 1 hour) is sufficient to alert the team when the queue grows beyond an expected size.

The alarm can be directly configured to send notifications to an existing SNS topic, maintaining seamless integration with the team’s alerting mechanisms.

The ApproximateNumberOfMessagesDelayed metric refers to messages that are delayed and not available for processing yet due to delay settings, which is not the direct backlog that causes business process delays.

Options C and D introduce unnecessary complexity by requiring Lambda functions and custom metrics or scheduled invocations, which reduce operational efficiency compared to using built-in CloudWatch metrics and alarms.

Reference from AWS Official Documentation and Study Guide:

Amazon SQS Monitoring with CloudWatch Metrics: " Amazon SQS automatically sends metrics to CloudWatch, including ApproximateNumberOfMessagesVisible, which shows the number of messages available for retrieval. " (Source: Amazon SQS Monitoring - AWS Documentation)

Setting CloudWatch Alarms for SQS Queues: " You can create CloudWatch alarms on SQS metrics such as ApproximateNumberOfMessagesVisible to receive notifications when the queue size exceeds a threshold. " (Source: Amazon CloudWatch Alarms - AWS Documentation)

AWS DevOps Engineer Professional Exam Guide: " Efficient alerting for queue backlogs should leverage native CloudWatch metrics to minimize operational overhead. " (Source: Official AWS Certified DevOps Engineer Professional Study Guide)

https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html

C. Create new ALB and Auto Scaling group resources in the new Region and configure the new ALB to direct traffic to the new Auto Scaling group. This will allow users in the new Region to access the application with lower latency by reducing the network hops between the user and the application servers.

D. Create Amazon Route 53 records, health checks, and latency-based routing policies to route to the ALB. This will enable Route 53 to route user traffic to the nearest healthy ALB, based on the latency between the user and the ALBs.

F. Convert the DynamoDB table to a global table. This will enable reads and writes to the table in both Regions with low latency, improving the overall response time of the application

To implement governance controls that restrict AWS service usage to within the United States and ensure alerts for any activity outside the governance policy, the following actions will meet the requirements:

A. Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization. This action will effectively prevent users and roles in all accounts within the organization from accessing services in non-US Regions12.

B. Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions. This action will allow monitoring of all AWS Regions and will trigger alerts if any activity is detected in non-US Regions, ensuring that the governance team is notified as soon as possible3.

AWS Documentation on Service Control Policies (SCPs) and how they can be used to manage permissions and restrict access based on Regions12.

AWS Documentation on monitoring CloudTrail log files with Amazon CloudWatch Logs to set up alerts for specific activities3.

AWS Organizations is a service that helps to manage multiple AWS accounts. AWS Control Tower is a service that makes it easy to set up and govern secure, compliant multi-account AWS environments. Account Factory for Terraform (AFT) is an AWS Control Tower feature that provisions new accounts using Terraform templates. To provision new accounts with the Enterprise Support plan, the DevOps engineer can set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. This flag enables the Enterprise Support plan for newly provisioned accounts.

https://docs.aws.amazon.com/controltower/latest/userguide/aft-feature-options.html

https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html#appspec-hooks-lambda

(A) Use ECR replication to keep images synchronized between Regions, minimizing CI/CD pipeline changes.

(C) DynamoDB global tables allow multi-Region replication and provide local read/write access, so tasks should interact with the DynamoDB replica in their Region.

(D) Use S3 cross-Region replication or separate buckets with replication; tasks access the bucket in the same Region for latency and data sovereignty.

(B) Using DynamoDB global table but pointing tasks to only one Region reduces resilience.

(E) S3 Multi-Region Access Points are newer but add complexity and are not required for minimal changes.

(F) Managing CI/CD pipeline for multiple Regions and failover routing adds complexity beyond minimal changes.

 Step 1: Attaching the CloudWatchAgentServerPolicy to the IAM Role

The CloudWatch agent needs permissions to collect and send metrics, including memory metrics, to Amazon CloudWatch. You can attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM instance profile or service account role to grant these permissions.

Action: Attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM instance profile that the EKS cluster uses.

Why: This ensures the CloudWatch agent has the necessary permissions to collect memory metrics.

A: If the ApproximateAgeOfOldestMessages indicate that orders are remaining in the SQS queue for longer than expected, the reserved concurrency limit may be set too small to keep up with the number of orders entering the queue and is being throttled. D: The DynamoDB table is using Auto Scaling. With Auto Scaling, you create a scaling policy that specifies whether you want to scale read capacity or write capacity (or both), and the minimum and maximum provisioned capacity unit settings for the table. The ThottledWriteRequests metric will indicate if there is a throttling issue on the DynamoDB table, which can be resolved by increasing the maximum write capacity units for the table ' s Auto Scaling policy. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.html

To invoke many Lambda functions in parallel and allow each function to have independent retry logic and concurrency management, using SQS queues for each Lambda function is recommended.

The BeginResponse Lambda publishes a message to an SNS topic, which fans out to multiple SQS queues (one per Lambda).

Each Lambda function polls its own SQS queue, allowing fine-grained control of concurrency and retry behavior.

SNS alone (Option A) invokes Lambda functions but lacks the queue’s buffering and retry durability.

Step Functions (Option D) would invoke Lambdas sequentially, not in parallel, and add complexity.

Option C reverses SNS and SQS in an inefficient manner.

Use a Service Control Policy (SCP) with a Null condition on lambda:VpcIds to deny Lambda function creation or update when not VPC-attached. This enforces compliance across all accounts automatically without manual remediation, aligning with AWS Control Tower governance recommendations.

This failure is typically due to incorrectly configured health checks in Elastic Load Balancing for the Classic Load Balancer, Application Load Balancer, or Network Load Balancer used to manage traffic for the deployment group. To resolve the issue, review and correct any errors in the health check configuration for the load balancer. https://docs.aws.amazon.com/codedeploy/latest/userguide/troubleshooting-deployments.html#troubleshooting-deployments-allowtraffic-no-logs

it involves adding an IPv6 CIDR block to the VPC and subnets for the ALB and specifying the dualstack IP address type on the ALB listener. This allows the ALB to listen on both IPv4 and IPv6 addresses, and forward requests to the EC2 instances that are added as targets to the target group associated with the ALB.

Option A is incorrect because EventBridge rules cannot filter events based on the message body or attributes of the target service. Therefore, configuring an SNS subscription filter policy to match the CloudFormation stack will not work. The SNS topic will receive all events from the EventBridge rule, regardless of the stack name or drift status.

Option B is incorrect because it introduces unnecessary complexity and cost. Creating a second Lambda function to query the CloudFormation API for the drift detection results is redundant, since CloudFormation already publishes drift detection events to EventBridge. Moreover, invoking two Lambda functions every hour will incur more charges than invoking one.

Option C is incorrect because GuardDuty does not provide drift detection for CloudFormation stacks. GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It does not monitor or report on configuration changes or drifts in CloudFormation stacks.

Option D is correct because it leverages AWS Config and its managed rule for drift detection. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It can detect configuration changes and drifts in CloudFormation stacks using the cloudformation-stack-drift-detection-check managed rule. This rule triggers an AWS Config event when a stack drifts from its expected template configuration. By creating a second EventBridge rule that reacts to this event for the specific stack, the DevOps engineer can configure the SNS topic as a target and receive a notification as soon as possible when drift is detected.

 For deploying a Ruby-based application with requirements for interaction with an Amazon RDS for MySQL database, automatic scaling, high availability, and data persistence, the following steps will meet the requirements:

B. Deploy the application on AWS Elastic Beanstalk. Deploy a separate Amazon RDS for MySQL DB instance outside of Elastic Beanstalk. This approach ensures that the database persists independently of the Elastic Beanstalk environment, which can be torn down and recreated without affecting the database123.

E. Use the immutable deployment method to deploy new application versions. Immutable deployments provide a zero-downtime deployment method that ensures that if any part of the deployment process fails, the environment is rolled back to the original state automatically4.

D. Configure an Amazon EventBridge rule to monitor AWS Health events. Use an Amazon Simple Notification Service (Amazon SNS) topic as a target to alert the application team. This setup allows for automated monitoring and alerting of the application team in case of deployment failures or other health events56.

AWS Elastic Beanstalk documentation on deploying Ruby applications1.

AWS documentation on application auto-scaling7.

AWS documentation on automated deployment strategies with automatic rollbacks and alerts456.

S3 cross-Region replication (CRR) automatically replicates data between buckets across different AWS Regions. To enable CRR, you need to add a replication configuration to your source bucket that specifies the destination bucket, the IAM role, and the encryption type (optional). You also need to grant permissions to the IAM role to perform replication actions on both the source and destination buckets. Additionally, you can choose the destination storage class and enable additional replication options such as S3 Replication Time Control (S3 RTC) or S3 Batch Replication. https://medium.com/cloud-techies/s3-same-region-replication-srr-and-cross-region-replication-crr-34d446806bab https://aws.amazon.com/getting-started/hands-on/replicate-data-using-amazon-s3-replication/ https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html

To implement a control that requires the use of IMDSv2 on all EC2 instances in the account, the DevOps engineer can use a permissions boundary. A permissions boundary is a policy that defines the maximum permissions that an IAM entity can have. The DevOps engineer can create a permissions boundary that prevents the ec2:RunInstance action if the ec2:MetadataHttpTokens condition key is not set to a value of required. This condition key enforces the use of IMDSv2 on EC2 instances. The DevOps engineer can attach the permissions boundary to the IAM role that was used to launch the instance. This way, any attempt to launch an EC2 instance without using IMDSv2 will be denied by the permissions boundary.

Using an organization trail with logs centralized in the audit account’s S3 bucket ensures compliance and isolation. An EventBridge rule in the audit account triggers on failed login events (ConsoleLogin failed) and sends SNS notifications in near real time.

Having separate CodeArtifact repositories in dev and prod accounts provides clear isolation and control.

Repository policies can restrict dev repo access to developers.

EventBridge triggers pipelines to test and promote packages only if tests pass, ensuring safe deployment to production.

Using S3 (C and D) is not ideal for package management.

A single repo (A) complicates access and version control across accounts.

To restrict direct access to API Gateway, add a custom header in the CloudFront distribution origin request and use a Lambda authorizer in API Gateway to validate that header. Only requests routed through CloudFront will include this header. This is the AWS-recommended pattern in “Secure your APIs behind CloudFront using custom headers and Lambda authorizers.”

When setting the flag authenticated-read in the command line, the owner gets FULL_CONTROL. The AuthenticatedUsers group (Anyone with an AWS account) gets READ access. Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

 Ensure that Amazon GuardDuty is Enabled:

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.

It can detect port scans and generate findings for these events.

 Create an Amazon CloudWatch Alarm for Detected EC2 and Port Scan Findings:

Configure GuardDuty to monitor for port scans and other threats.

Create a CloudWatch alarm that triggers when GuardDuty detects port scan activities.

 Connect the Alarm to the SNS Topic:

The CloudWatch alarm should be configured to send notifications to the SNS topic subscribed by the security team.

This setup ensures that the security team receives near-real-time notifications when a port scan is detected on the EC2 instances.

Example configuration steps:

Enable GuardDuty and ensure it is monitoring the relevant AWS accounts.

Create a CloudWatch alarm:

{

" AlarmName " : " GuardDutyPortScanAlarm " ,

" MetricName " : " ThreatIntelIndicator " ,

" Namespace " : " AWS/GuardDuty " ,

" Statistic " : " Sum " ,

" Dimensions " : [

{

" Name " : " FindingType " ,

" Value " : " Recon:EC2/Portscan "

}

],

" Period " : 300,

" EvaluationPeriods " : 1,

" Threshold " : 1,

" ComparisonOperator " : " GreaterThanOrEqualToThreshold " ,

" AlarmActions " : [ " arn:aws:sns:region:account-id:SecurityAlerts " ]

}

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html CF of network exports the VPC, subnet or needed information CF of application imports the above information to its stack and UpdateChangeSet/ ExecuteChangeSet

This solution meets the requirements in the most operationally efficient manner by automating the application restart process on the instances without restarting them. When the CloudWatch alarm enters the ALARM state, the EventBridge rule is triggered, which in turn invokes the Systems Manager Automation runbook that contains the script to restart the application on the instances.

CodeDeploy supports TimeBasedLinear traffic shifting for ECS blue/green deployments. Traffic increments by linearPercentage every linearInterval until 100%. This provides zero-downtime gradual rollout — as per CodeDeploy ECS Blue/Green Traffic Shifting documentation.

AWS Systems Manager Patch Manager automates patch scanning and installation. Integrating with AWS Config enables compliance reporting and auto-remediation. This provides centralized patch compliance management per AWS Ops best practices.

The root cause of the problem is that the RDS PostgreSQL instance is exceeding its database connection limit due to high volumes of concurrent GET requests. The most efficient and lowest-effort remediation is to reduce the number of connections that reach the database and serve as many reads as possible from a cache layer. Option B accomplishes both goals with minimal changes to the existing architecture.

First, RDS Proxy manages database connections efficiently by pooling and reusing them. This reduces connection churn and prevents the Lambda function from opening excessive concurrent connections during traffic spikes. RDS Proxy is natively integrated with RDS and requires only minor configuration changes without altering application logic.

Second, enabling API Gateway caching allows caching GET responses directly at the API layer. Because over 90% of requests are GET operations, enabling caching drastically reduces traffic hitting both Lambda and RDS, significantly improving performance and lowering connection pressure.

Option C also improves read scaling, but adding ElastiCache introduces additional infrastructure and requires modifying application code to query Redis before querying the database. This is more complex than enabling API Gateway caching. Options A and D require full database migration, which is far more labor-intensive.

Option B is the simplest, most effective, and most aligned with AWS best practices for reducing RDS connection saturation.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html?icmpid=docs_orgs_console

SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Options C and D are not as effective because IAM permission boundaries are applied to IAM entities (users, groups, and roles), not the account itself, and must be applied to all IAM entities in the account.

Step A: Using a tool like CloudFormation resource import or IaC generator to scan and create a template from existing resources is efficient to bring current infrastructure under management.

Step C: Using CodeConnections (AWS ' s solution to connect Git repositories) with AWS CodePipeline ensures any changes to CloudFormation templates in the Git repo automatically deploy infrastructure changes, enforcing infrastructure as code workflows.

Step E: Creating an IAM role with CloudFormation as the principal ensures CloudFormation has permissions to manage resources. Using an SCP to deny all actions except by this role enforces strict control, preventing manual changes outside the pipeline. Option B uses AWS Config which is more for compliance and auditing, not direct resource import. Option D is invalid because CloudFormation does not natively sync with Git; CodePipeline does. Option F is less secure than denying all except the IAM role.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge (CloudWatch Events) rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic. This approach uses Amazon EventBridge (previously known as Amazon CloudWatch Events) to filter AWS Config evaluation results based on the restricted-ssh rule and its compliance status (NON_COMPLIANT). An input transformer can be used to customize the information contained in the notification, such as the name and ID of the noncompliant security group. The EventBridge (CloudWatch Events) rule can then be configured to publish a notification to the SNS topic, which will notify the appropriate personnel in real-time.

When you create a pipeline from CodePipeline during the step-by-step it creates a CloudWatch Event rule for a given branch and repo

like this:

{

" source " : [

" aws.codecommit "

],

" detail-type " : [

" CodeCommit Repository State Change "

],

" resources " : [

" arn:aws:codecommit:us-east-1:xxxxx:repo-name "

],

" detail " : {

" event " : [

" referenceCreated " ,

" referenceUpdated "

],

" referenceType " : [

" branch "

],

" referenceName " : [

" master "

]

}

}

https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-trigger-source-repo-changes-console.html

Option A is incorrect because creating an Amazon EventBridge rule that invokes an AWS Lambda function to query the applications on a 5-minute interval is not a valid solution. EventBridge rules can only trigger Lambda functions based on events, not on time intervals. Moreover, querying the applications on a 5-minute interval might incur unnecessary costs and network overhead, and might not detect performance issues in real time.

Option B is correct because creating an Amazon CloudWatch Synthetics canary that runs a custom script to query the applications on a 5-minute interval is a valid solution. CloudWatch Synthetics canaries are configurable scripts that monitor endpoints and APIs by simulating customer behavior. Canaries can run as often as once per minute, and can measure the latency and availability of the applications. Canaries can also send notifications to an Amazon SNS topic when they detect errors or performance issues1.

Option C is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution. The RequestCountPerTarget metric measures the number of requests completed or connections made per target in a target group2. This metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the number of connections becomes greater than the configured number of threads that the application supports is not a valid way to measure the application performance, as it depends on the application design and implementation.

Option D is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution, for the same reason as option C. The RequestCountPerTarget metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the average response time becomes greater than the longest response time that the application supports is not a valid way to measure the application performance, as it does not account for variability or outliers in the response time distribution.

Use cross-account EventBridge by configuring a rule in the source (automation) account to send events to the target accounts’ default event buses, and grant permissions on the target default event buses to accept events from the source account. This is the standard cross-account event routing model.

EC2 instances running in private subnets of a VPC can now have controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. You can use an S3 bucket policy to indicate which VPCs and which VPC Endpoints have access to your S3 buckets 1- https://aws.amazon.com/pt/blogs/aws/new-vpc-endpoint-for-amazon-s3/

To implement failover for the application to the secondary Region so that HTTP GET requests meet the desired RTO, the DevOps engineer should use the following solution:

Create a new origin on the distribution for the secondary ALB. A CloudFront origin is the source of the content that CloudFront delivers to viewers. By creating a new origin for the secondary ALB, the DevOps engineer can configure CloudFront to route traffic to the secondary Region when the primary Region is unavailable1

Create a new origin group. Set the original ALB as the primary origin. Configure the origin group to fail over for HTTP 5xx status codes. An origin group is a logical grouping of two origins: a primary origin and a secondary origin. By creating an origin group, the DevOps engineer can specify which origin CloudFront should use as a fallback when the primary origin fails. The DevOps engineer can also define which HTTP status codes should trigger a failover from the primary origin to the secondary origin. By setting the original ALB as the primary origin and configuring the origin group to fail over for HTTP 5xx status codes, the DevOps engineer can ensure that CloudFront will switch to the secondary ALB when the primary ALB returns server errors2

Update the default behavior to use the origin group. A behavior is a set of rules that CloudFront applies when it receives requests for specific URLs or file types. The default behavior applies to all requests that do not match any other behaviors. By updating the default behavior to use the origin group, the DevOps engineer can enable failover routing for all requests that are sent to the distribution3

This solution will meet the requirements because it will automate the failover of the application to the secondary Region with zero-second RTO. When CloudFront receives an HTTP GET request, it will first try to route it to the primary ALB in the primary Region. If the primary ALB is healthy and returns a successful response, CloudFront will deliver it to the viewer. If the primary ALB is unhealthy or returns an HTTP 5xx status code, CloudFront will automatically route the request to the secondary ALB in the secondary Region and deliver its response to the viewer.

The other options are not correct because they either do not provide zero-second RTO or do not work as expected. Creating a second CloudFront distribution that has the secondary ALB as the default origin and creating Amazon Route 53 alias records that have a failover policy is not a good option because it will introduce additional latency and complexity to the solution. Route 53 health checks and DNS propagation can take several minutes or longer, which means that viewers might experience delays or errors when accessing the application during a failover event. Creating Amazon Route 53 alias records that have a failover policy and Evaluate Target Health set to Yes for both ALBs and setting the TTL of both records to O is not a valid option because it will not work with CloudFront distributions. Route 53 does not support health checks for alias records that point to CloudFront distributions, so it cannot detect if an ALB behind a distribution is healthy or not. Creating a CloudFront function that detects HTTP 5xx status codes and returns a 307 Temporary Redirect error response to the secondary ALB is not a valid option because it will not provide zero-second RTO. A 307 Temporary Redirect error response tells viewers to retry their requests with a different URL, which means that viewers will have to make an additional request and wait for another response from CloudFront before reaching the secondary ALB.

1: Adding, Editing, and Deleting Origins - Amazon CloudFront

2: Configuring Origin Failover - Amazon CloudFront

3: Creating or Updating a Cache Behavior - Amazon CloudFront

Create an SQS dead-letter queue. Modify the existing queue by including a redrive policy that sets the Maximum Receives setting to 1 and sets the dead-letter queue ARN to the ARN of the newly created queue. Instruct the scientists to use the dead-letter queue to review the data that is not valid. Reprocess this data at a later time.

RDS Multi-AZ cluster deployments with cross-Region read replicas support near real-time replication ( < 1 min RPO) and fast promotion ( < 10 min RTO). Route 53 CNAME failover redirects application traffic automatically. This is the AWS-recommended DR pattern.

 To optimize the Macie costs for the account without compromising the account’s functionality, the DevOps engineer needs to exclude S3 buckets that do not contain sensitive data from automated discovery. S3 buckets that contain CloudTrail logs are unlikely to have sensitive data, and Macie charges for scanning and monitoring data in S3 buckets. Therefore, excluding S3 buckets that contain CloudTrail logs from automated discovery can reduce Macie costs. Similarly, configuring discovery jobs to include S3 objects based on the last modified criterion can also reduce Macie costs, as it will only scan and monitor new or updated objects, rather than all objects in the bucket.

It allows the company to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing AWS accounts and in any AWS accounts that the company creates in the future using Amazon GuardDuty. It also provides a solution for automatically adding future AWS accounts to GuardDuty by configuring GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts.

When a Lambda function processes an SQS batch and a subset of messages fail, the default behavior re-queues the entire batch, causing already-successfully-processed messages to be delivered and processed again. The ReportBatchItemFailures feature in the Lambda event source mapping allows the function to return a partial failure response, indicating only the specific message IDs that failed. Lambda then deletes the successfully processed messages from the queue and re-queues only the failed items, preventing duplicate processing of successful messages. This approach maintains high concurrency because it does not restrict parallelism. Setting batch size to 1 (Option B) avoids batching entirely but eliminates the concurrency and throughput benefits. Reserved concurrency of 1 (Option D) severely restricts scalability. A 1-second batch window (Option A) affects how long Lambda waits to form a batch but does not prevent duplicate processing.

================

The CfCT solution is designed for the exact purpose stated in the question. It extends the capabilities of AWS Control Tower by providing you with a way to automate resource provisioning and apply custom configurations across all AWS accounts created in the Control Tower environment. This enables the company to implement additional account customizations when new accounts are provisioned via the Control Tower Account Factory. The CloudFormation templates and SCPs can be added to a CodeCommit repository and will be automatically deployed to new accounts when they are created. This provides a highly automated solution that does not require manual intervention to deploy resources and SCPs to new accounts.

AWS Config can monitor compliance by checking EC2 software inventory. Custom Config rules can automatically trigger Systems Manager Automation documents as remediation actions when noncompliant (software missing). This meets policy enforcement goals with automation.

This approach is the most operationally efficient because it leverages the benefits of containerization, such as isolation and reproducibility, as well as AWS managed services. AWS CodeBuild is a fully managed build service that can compile your source code, run tests, and produce deployable software packages. By using a custom Docker image that includes all dependencies, you can ensure that the environment in which your code is built is consistent. Using Amazon ECR to store Docker images lets you easily deploy the images to any environment. Also, you can directly upload the build artifacts to Amazon S3 from AWS CodeBuild, which is beneficial for version control and archival purposes.

This solution will meet the requirements because it will use CloudFormation nested stacks and stack sets to deploy the templates more efficiently and consistently across multiple regions. Nested stacks allow the company to separate out common components and reuse templates, while stack sets allow the company to create stacks in multiple accounts and regions with a single template. The company can also use Amazon SNS to send notifications to the data engineering team whenever a change is made to the templates or the stacks. Amazon SNS is a service that allows you to publish messages to subscribers, such as email addresses, phone numbers, or other AWS services. By using Amazon SNS, the company can ensure that the data engineering team is aware of all changes to the templates and can take appropriate actions if needed. What is Amazon SNS? - Amazon Simple Notification Service

Amazon ECR supports enhanced scanning powered by Amazon Inspector, which provides deeper security scanning for container images including OS and programming language package vulnerabilities.

Enabling enhanced scanning (Option B) allows detection of CRITICAL and HIGH vulnerabilities.

Amazon ECR emits scan completion events via EventBridge, which can trigger Lambda functions. The Lambda function can process the scan results from Amazon Inspector and programmatically approve or reject the image in the CI/CD pipeline (Option D).

Basic scanning (Option A) is limited and does not integrate with Inspector.

Options C and E describe functionalities not natively supported (ECR does not automatically submit Rejected status; Clair is not used in AWS ECR scanning).

The correct answer is C.

Option A is incorrect because using CloudWatch metrics to create a custom expression that identifies the CloudWatch log groups that have the most data being written to them is not a valid solution. CloudWatch metrics do not provide information about the size or volume of data being ingested by CloudWatch logs. CloudWatch metrics only provide information about the number of events, bytes, and errors that occur within a log group or stream. Moreover, creating a custom expression with CloudWatch metrics would require using the search_web tool, which is not necessary for this use case.

Option B is incorrect because using CloudWatch Logs Insights to create a set of queries for the application log groups to identify the number of logs written for a period of time is not a valid solution. CloudWatch Logs Insights can help analyze and filter log events based on patterns and expressions, but it does not provide information about the cost or billing of CloudWatch logs. CloudWatch Logs Insights also charges based on the amount of data scanned by each query, which could increase the logging costs further.

Option C is correct because using AWS Cost Explorer to generate a cost report that details the cost for CloudWatch usage is a valid solution. AWS Cost Explorer is a tool that helps visualize, understand, and manage AWS costs and usage over time. AWS Cost Explorer can generate custom reports that show the breakdown of costs by service, region, account, tag, or any other dimension. AWS Cost Explorer can also filter and group costs by usage type, which can help identify the specific CloudWatch log groups that are the source of the increased logging costs.

Option D is incorrect because using AWS CloudTrail to filter for CreateLogStream events for each application is not a valid solution. AWS CloudTrail is a service that records API calls and account activity for AWS services, including CloudWatch logs. However, AWS CloudTrail does not provide information about the cost or billing of CloudWatch logs. Filtering for CreateLogStream events would only show when a new log stream was created within a log group, but not how much data was ingested or stored by that log stream.

For automatic failover to a secondary Region, several conditions must be met. Amazon Keyspaces multi-Region replication provides continuous, near-real-time data replication across Regions, ensuring data is available in the secondary Region without manual intervention, unlike point-in-time recovery. ECR private image replication automatically keeps container images synchronized to the secondary Region registry. Setting the Fargate service desired count to 1 in the secondary Region creates a warm standby that can immediately accept traffic during failover, unlike desired count of 0 which would require scale-up time. Route 53 failover routing policy combined with ALB health checks automatically redirects DNS traffic to the secondary Region when the primary becomes unhealthy. A weighted routing policy does not support automatic failover behavior. Option C uses a manual image copy rather than automated replication, making it unsuitable for continuous DR.

================

The company needs fast, proactive alerts for future performance issues, beyond basic EC2 metrics. Option A provides a complete, AWS-native monitoring pattern aligned with best practices:

Enable detailed monitoring on EC2 instances to increase metric resolution (from 5-minute to 1-minute intervals), improving the responsiveness of alarms.

Define custom CloudWatch metrics for application-level indicators such as request latency, error rate, queue depth, or throughput. These metrics can be published from the application or sidecar agents.

Create CloudWatch alarms on both infrastructure (CPU, network, disk) and custom application metrics with thresholds that reflect performance SLOs. Alarms can notify teams via SNS or incident management tools.

Use CloudWatch Logs Insights to analyze logs for recurring error patterns, slow requests, or exceptions when alarms fire.

Option B focuses on tracing and frontend RUM; while useful, it is more complex and not necessary just to get quick alerts. Option C uses services (CloudTrail, GuardDuty, Trusted Advisor) that are not focused on real-time performance detection. Option D with VPC Flow Logs is network-level and would not detect general application performance issues.

Thus, Option A offers a direct, efficient way to detect and alert on performance degradations quickly.

B. Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable. C. Store the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables. E. Use AWS Systems Manager run command versus scp and ssh commands directly to the instance.

The correct answer is D. The scenario requires a solution that can migrate an application from on premises to AWS, run on specific versions of Apache Tomcat, HAProxy, and Varnish Cache, tune the operating system-level parameters, automate the deployment of new application versions, and scale and replace faulty servers automatically. Option D meets all these requirements by using AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, and Amazon EC2 Auto Scaling. AWS CodeCommit is a fully managed source control service that hosts Git repositories and works with Git-based tools. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services, including Amazon EC2, AWS Fargate, AWS Lambda, and on-premises servers. AWS CodePipeline is a fully managed continuous delivery service that helps automate the release pipelines for fast and reliable application updates. Amazon EC2 Auto Scaling helps maintain application availability and allows scaling of Amazon EC2 capacity up or down automatically according to the defined conditions. By using these services together, the DevOps engineer can migrate the application code to AWS, configure and install the necessary software using the appspec.yml file, automate the deployment process using the pipeline, and scale and replace the servers using the Auto Scaling group.

Option A is incorrect because AWS Fargate is a serverless compute engine for containers that works with Amazon ECS and Amazon EKS. Fargate removes the need to provision and manage servers, but it also limits the ability to tune the operating system-level parameters, which is a requirement in the scenario. Moreover, Fargate does not support HAProxy and Varnish Cache as sidecar containers, which are needed to run the application properly.

Option B is incorrect because AWS Elastic Beanstalk is a fully managed service that automates the deployment and scaling of web applications and services using familiar servers such as Apache, Nginx, Passenger, and IIS. However, Elastic Beanstalk does not support HAProxy and Varnish Cache as part of the Tomcat solution stack, which are needed to run the application properly. Moreover, Elastic Beanstalk web server tier environments are designed to serve HTTP requests, not to process background tasks, which is the purpose of worker tier environments.

Option C is incorrect because AWS Elastic Beanstalk worker tier environments are designed to process background tasks using a daemon process that runs on each Amazon EC2 instance in the environment. Worker tier environments are not suitable for running web applications that serve HTTP requests, which is the case in the scenario. Moreover, Elastic Beanstalk does not support HAProxy and Varnish Cache as part of the Tomcat solution stack, which are needed to run the application properly.

AWS CodeCommit

AWS CodeDeploy

AWS CodePipeline

Amazon EC2 Auto Scaling

AWS Fargate

AWS Elastic Beanstalk

Step 1: Using Service Control Policies (SCPs) for EC2 SecurityTo limit the use of EC2 instance credentials to the specific EC2 instance they are assigned to, you can create a Service Control Policy (SCP) that verifies specific conditions, such as whether the EC2 instance ' s source VPC and private IP match expected values.

Action: Create an SCP that checks whether the values of the aws:EC2InstanceSourceVPC and aws:SourceVpc condition keys are the same. Deny access if they are not.

Why: This ensures that credentials cannot be used outside the designated EC2 instance or VPC.

Step 2: Further Validation with Private IPsThe SCP should also verify that the EC2 instance ' s private IP matches the IP range specified for the VPC. If the instance ' s private IP does not match, access should be denied.

Action: In the same SCP, check whether the values of the aws:EC2InstanceSourcePrivateIP and aws:VpcSourceIP condition keys are the same. Deny access if they are not.

Why: This ensures that the credentials are only used within the specific EC2 instance and its associated VPC.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html

The best solution to implement failover for the application is to use CloudFront origin groups. Origin groups allow CloudFront to automatically switch to a secondary origin when the primary origin is unavailable or returns specific HTTP status codes that indicate a failure1. This way, CloudFront can serve the requests from the secondary ALB in the secondary Region without any delay or redirection. To set up origin groups, the DevOps engineer needs to create a new origin on the distribution for the secondary ALB, create a new origin group with the original ALB as the primary origin and the secondary ALB as the secondary origin, and configure the origin group to fail over for HTTP 5xx status codes. Then, the DevOps engineer needs to update the default behavior to use the origin group instead of the single origin2.

The other options are not as effective or efficient as the solution in option B. Option A is not suitable because creating a second CloudFront distribution will increase the complexity and cost of the application. Moreover, using Route 53 alias records with a failover policy will introduce some delay in detecting and switching to the secondary CloudFront distribution, which may not meet the zero-second RTO requirement. Option C is not feasible because CloudFront does not support using Route 53 alias records as origins3. Option D is not advisable because using a CloudFront function to redirect the requests to the secondary ALB will add an extra round-trip and latency to the failover process, which may also not meet the zero-second RTO requirement.

1: Optimizing high availability with CloudFront origin failover - Amazon CloudFront

2: Creating an origin group - Amazon CloudFront

3: Values That You Specify When You Create or Update a Web Distribution - Amazon CloudFront

" Note that the metric filter is different from a log insights query, where the experience is interactive and provides immediate search results for the user to investigate. No automatic action can be invoked from an insights query. Metric filters, on the other hand, will generate metric data in the form of a time series. This lets you create alarms that integrate into your ITSM processes, execute AWS Lambda functions, or even create anomaly detection models. " https://aws.amazon.com/blogs/mt/quantify-custom-application-metrics-with-amazon-cloudwatch-logs-and-metric-filters/

The question focuses on detecting supply chain attacks that bypass CI/CD controls and result in malicious runtime behavior in the deployed serverless application. This requires runtime threat detection , not just static scanning or infrastructure validation.

Amazon GuardDuty is AWS’s managed threat detection service. GuardDuty now includes Lambda Protection , which analyzes Lambda function behavior, including network calls, IAM API usage, and other signals to detect compromised functions, crypto-mining, data exfiltration, and other malicious activity. GuardDuty automatically ingests CloudTrail, VPC Flow Logs (if enabled), and other telemetry without requiring code changes or agents. Findings are published and can be routed to Amazon EventBridge for near real-time notifications or automated remediation.

Option A (AWS WAF) only inspects HTTP requests to API Gateway and is focused on known bad patterns, not deeper behavioral anomalies. Option C (CloudFormation Guard) is focused on infrastructure-as-code validation in the pipeline, which explicitly does not help once malicious code is deployed. Option D (Network Firewall with Emerging Threats rules) protects VPC traffic, but serverless components like Lambda and API Gateway may not all traverse that firewall, and it is not targeted at function-level behavior.

Hence, enabling GuardDuty with Lambda Protection and using EventBridge notifications is the correct solution.

The Auto Scaling group service-linked role must have a specific grant in the source account in order to decrypt the encrypted AMI. This is because the service-linked role does not have permissions to assume the default IAM role in the source account.

The following steps are required to meet the requirements:

In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.

In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.

In the source account, share the encrypted AMI with the target account.

In the target account, attach the KMS grant to the Auto Scaling group service-linked role.

The first three steps are the same as the steps that I described earlier. The fourth step is required to grant the Auto Scaling group service-linked role permissions to decrypt the AMI in the target account.

This solution will meet the requirements because it will use Amazon S3 as a common data lake for both the application logs and the API logs. Amazon S3 is a service that provides scalable, durable, and secure object storage for any type of data. You can use the Amazon CloudWatch agent to send logs from your EC2 instances to S3 buckets, and use AWS CloudTrail to deliver the API logs to S3 buckets as well. You can also use Amazon Athena to query both sets of logs in S3 using standard SQL, without loading or transforming them. Athena is a serverless interactive query service that allows you to analyze data in S3 using a variety of data formats, such as JSON, CSV, Parquet, and ORC.

AWS CDK recommends using Level 3 (L3) custom constructs to encapsulate reusable multi-resource infrastructure patterns (networking, compute, DB). Then, define a single set of environment-aware stacks that accept environment parameters for deployment. This ensures consistency with minimal code duplication, per AWS CDK best practices and design patterns whitepaper.

Option B is the correct choice and has the least operational overhead because ECR lifecycle policies are the native, managed feature built specifically to automate image cleanup:

ECR lifecycle policies can expire images based on image age (e.g., images older than X days) and can also enforce retaining a minimum number of images (count-based retention), which directly matches the requirement “retain at least a specified number of images.”

Lifecycle policies work for both tagged and untagged images using rule selection and tagging status filters, so the repository stays clean without custom automation.

Why the other options are not appropriate / higher overhead:

A is invalid: ECR is not S3; S3 lifecycle policies do not manage ECR images .

C and D introduce custom automation (Lambda or SSM scripting), scheduling, permissions, error handling, retries, logging, and ongoing maintenance—higher overhead than a managed lifecycle policy.

The correct answer is C.

Option A is incorrect because creating a new SCP that has two statements, one that allows access to the new range of IP addresses for all the S3 buckets and one that denies access to the old range of IP addresses for all the S3 buckets, is not a valid solution. SCPs are not resource-based policies, and they cannot specify the S3 buckets or the IP addresses as resources or conditions. SCPs can only control the actions that can be performed by the principals in the organization, not the access to specific resources. Moreover, setting a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets is not sufficient to revoke the permissions of the two OUs, as there might be other roles or users in those OUs that can still access the S3 buckets.

Option B is incorrect because creating a new SCP that has a statement that allows only the new range of IP addresses to access the S3 buckets is not a valid solution, for the same reason as option A. SCPs are not resource-based policies, and they cannot specify the S3 buckets or the IP addresses as resources or conditions. Creating another SCP that denies access to the S3 buckets and attaching it to the two OUs is also not a valid solution, as SCPs cannot specify the S3 buckets as resources either.

Option C is correct because it meets both requirements of changing the range of IP addresses that have permission to access the contents of the S3 buckets and revoking the permissions of two OUs in the company. On all the S3 buckets, configuring resource-based policies that allow only the new range of IP addresses to access the S3 buckets is a valid way to update the IP address ranges, as resource-based policies can specify both resources and conditions. Creating a new SCP that denies access to the S3 buckets and attaching it to the two OUs is also a valid way to revoke the permissions of those OUs, as SCPs can deny actions such as s3:PutObject or s3:GetObject on any resource.

Option D is incorrect because setting a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets is not sufficient to revoke the permissions of the two OUs, as there might be other roles or users in those OUs that can still access the S3 buckets. A permissions boundary is a policy that defines the maximum permissions that an IAM entity can have. However, it does not revoke any existing permissions that are granted by other policies.

Amazon S3 Inventory generates scheduled reports listing all objects in a bucket with metadata including the ETag, which is an MD5 hash of the object content. Objects with the same ETag value have identical content regardless of their key or prefix location and can therefore be identified as duplicates. Amazon Athena can query the inventory report stored in S3 using SQL to group objects by ETag and identify keys where more than one object shares the same hash. Once duplicate keys are identified, S3 Batch Operations can invoke an AWS Lambda function to programmatically delete the duplicate entries, completing the automated cleanup workflow. S3 Storage Lens (Option A) provides visibility into storage usage metrics but does not identify content-level duplicates. CloudTrail (Option B) tracks API activity but cannot compare object content. AWS Config (Option D) is designed for resource configuration compliance, not S3 object deduplication.

S3 RTC ensures ≤15-min replication SLA.

Multi-Region Access Point (MRAP) simplifies active-passive replication access.

SubmitMultiRegionAccessPointRoutes API manages routing changes during failover. This configuration follows AWS DR best practices for S3 active/passive architectures.

 To meet the requirements, the DevOps engineer needs to create a solution that joins all EC2 instances to the domain of the AWS Managed Microsoft AD directory with the most operational efficiency. The DevOps engineer can use AWS Systems Manager Automation to automate the domain join process using an existing runbook called AWS-JoinDirectoryServiceDomain. This runbook can join Windows instances to an AWS Managed Microsoft AD or Simple AD directory by using PowerShell commands. The DevOps engineer can create an AWS::SSM::Association resource in the CloudFormation template to associate the runbook with the EC2 instances that have specific tags. The tags can be defined in the launch template and propagated on launch to the EC2 instances. The DevOps engineer can also define the required parameters for the runbook, such as the directory ID, directory name, and organizational unit. The DevOps engineer can attach the AmazonSSMManagedlnstanceCore and AmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2 instances use. These policies grant the necessary permissions for Systems Manager and Directory Service operations.

Step 1: Sending AWS WAF Logs to CloudWatch LogsAWS WAF allows you to log requests that are evaluated against your web ACLs. These logs can be sent directly to CloudWatch Logs, which enables real-time monitoring and analysis.

Action: Configure the AWS WAF web ACL to send log messages to a CloudWatch Logs log group.

Why: This allows the operations team to view the logs in real time and analyze patterns using CloudWatch metric filters.

Mutual TLS (mTLS) authentication requires two-way authentication between the client and the server. For Amazon API Gateway, you can enable mTLS for a custom domain name, which requires clients to present X.509 certificates to verify their identity to access your API. To set up mTLS, you would typically use AWS Certificate Manager (ACM) to create a private certificate authority (CA) and provision a client certificate signed by this private CA. The root CA certificate is then uploaded to an Amazon S3 bucket and configured in API Gateway as the trust store12.

Introducing mutual TLS authentication for Amazon API Gateway1.

Configuring mutual TLS authentication for a REST API2.

AWS Private Certificate Authority details3.

AWS Certificate Manager Private Certificate Authority updates4.

To prevent ApplicationA from being installed on the additional instance, the deployment group configuration needs to be more specific. By changing the current single tag group to include only the Environment=Production tag and adding another single tag group that includes only the Name=ApplicationA tag, the deployment process will target only the instances that match both tag groups. This ensures that only instances intended for ApplicationA with the correct environment and name tags will receive the deployment, thus excluding the additional instance with the Department=Marketing and Name=ApplicationB tags.

AWS CodeDeploy Documentation: Working with instances for CodeDeploy

AWS CodeDeploy Documentation: Stop a deployment with CodeDeploy

Stack Overflow Discussion: CodeDeploy Deployment failed to stop Application