Practice Free DOP-C02 AWS Certified DevOps Engineer - Professional Exam Questions Answers With Explanation

Use a Service Control Policy (SCP) with a Null condition on lambda:VpcIds to deny Lambda function creation or update when not VPC-attached. This enforces compliance across all accounts automatically without manual remediation, aligning with AWS Control Tower governance recommendations.

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-determine-compliance-of-aws-kms-key-policies-to-your-specifications/

A: If the ApproximateAgeOfOldestMessages indicate that orders are remaining in the SQS queue for longer than expected, the reserved concurrency limit may be set too small to keep up with the number of orders entering the queue and is being throttled. D: The DynamoDB table is using Auto Scaling. With Auto Scaling, you create a scaling policy that specifies whether you want to scale read capacity or write capacity (or both), and the minimum and maximum provisioned capacity unit settings for the table. The ThottledWriteRequests metric will indicate if there is a throttling issue on the DynamoDB table, which can be resolved by increasing the maximum write capacity units for the table ' s Auto Scaling policy. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.html

AWS Secrets Manager supports managed rotation using Lambda templates for ElastiCache (Redis). Secrets Manager can integrate with Parameter Store using references ({{resolve:secretsmanager:...}}). This ensures automatic rotation with minimal management.

Option A best matches the requirement in the simplest, most direct way:

Systems Manager State Manager is designed to apply and maintain a desired state on managed instances by running associations on a schedule or continuously across targets (for example, “all managed nodes”).

By using a Systems Manager document in the association that installs the antivirus package (and can be written to be idempotent: “install only if not present”), State Manager both detects drift (software missing) and remediates it automatically by reapplying the desired configuration.

This approach automatically covers all instances that are managed by Systems Manager (which is typically the standard requirement for fleet management on Amazon Linux).

Why the others are more overhead or not as direct:

B can work, but it requires building and operating a custom Config rule plus remediation wiring. That’s more components and maintenance than State Manager for a straightforward “ensure software is installed” task.

C Amazon Inspector is a vulnerability management service; it’s not the primary tool for “ensure a specific software package is installed everywhere” and “remediate via SSM doc” as a desired-state control.

D only detects new instances at launch time via CloudTrail RunInstances, and then you still need Inventory correlation logic. It’s more complex and can miss already-running instances unless additional logic is added.

Step 1: Reacting to CloudFormation Stack Events with EventBridgeAWS CloudFormation emits events during the lifecycle of a stack, including the UPDATE_COMPLETE event after a successful stack update. You can use Amazon EventBridge to detect this event and trigger a specific action (such as invoking a Lambda function).

Action: Create an EventBridge rule that listens for the UPDATE_COMPLETE event for the CloudFormation stack.

Why: EventBridge allows you to automatically detect CloudFormation stack lifecycle events and take action based on them.

Step 2: Invoking the Lambda FunctionAfter the EventBridge rule detects the UPDATE_COMPLETE event, it can invoke the pre-configured Lambda function to apply or update the tag on the specific CloudFormation stack instance.

Action: Configure the EventBridge rule to invoke the Lambda function when the UPDATE_COMPLETE event occurs.

Why: This automation ensures that the tag is applied immediately after a successful stack update without any manual intervention.

When the CodeUri property points directly to a static S3 object path, AWS CloudFormation detects no template changes between deployments because the S3 URI remains identical even after you upload updated code to the same key. The solution is to reference local source code so that SAM or CloudFormation can compute a content hash, upload the artifact with a unique S3 key, and update the template, creating a detectable change. Option C works because sam deploy with a local CodeUri path automatically packages the function, uploads it to S3 with a hash-derived key, and deploys the updated stack. Option E works for the same reason: aws cloudformation package computes the hash, uploads the artifact, and produces a packaged template that aws cloudformation deploy can then apply. Options A and B do not resolve the root cause and are not designed for SAM Lambda packaging.

================

AWS CDK recommends using Level 3 (L3) custom constructs to encapsulate reusable multi-resource infrastructure patterns (networking, compute, DB). Then, define a single set of environment-aware stacks that accept environment parameters for deployment. This ensures consistency with minimal code duplication, per AWS CDK best practices and design patterns whitepaper.

To meet the requirements, the DevOps engineer needs to configure the CloudWatch alarm to stop the EC2 instances when the average of the NetworkPacketsIn metric is less than 5 for at least 3 hours in a 12-hour time window. This means that the alarm should trigger when 3 out of 12 datapoints are below the threshold of 5. The alarm should also treat missing data as not breaching the threshold, so that the EC2 instances continue to run if there is no data for the metric during the evaluation period. The DevOps engineer can add an EC2 action to stop the instance when the alarm enters the ALARM state, which is a built-in action type for CloudWatch alarms.

The best solution is to use AWS Config and AWS Security Hub to identify and remediate noncompliant resources across multiple AWS accounts. AWS Config enables continuous monitoring of the configuration of AWS resources and evaluates them against desired configurations. AWS Config can also automatically remediate noncompliant resources by using conformance packs, which are a collection of AWS Config rules and remediation actions that can be deployed as a single entity. AWS Security Hub provides a comprehensive view of the security posture of AWS accounts and resources. AWS Security Hub can aggregate and normalize the findings from AWS Config and other AWS services, as well as from partner solutions. AWS Security Hub can also be used to create a dashboard for tracking noncompliant resources and events in a centralized location.

The other options are not optimal because they either require more development overhead, do not provide near real time detection and remediation, or do not provide a centralized dashboard for tracking.

Option A is not optimal because CloudFormation drift detection is not a near real time solution. Drift detection has to be manually initiated on each stack or resource, or scheduled using a cron expression. Drift detection also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. CloudWatch Logs and dashboard can be used for tracking, but they do not provide a comprehensive view of the security posture of the AWS accounts and resources.

Option B is not optimal because CloudTrail logs analysis using Athena is not a near real time solution. Athena queries have to be manually run or scheduled using a cron expression. Athena also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. Step Functions can be used to orchestrate the query and remediation workflow, but it adds more complexity and cost. QuickSight dashboard can be used for tracking, but it does not provide a comprehensive view of the security posture of the AWS accounts and resources.

Option D is not optimal because CloudTrail logs analysis using CloudWatch Logs is not a near real time solution. CloudWatch Logs filters have to be manually created or updated for each resource type and configuration change. CloudWatch Logs also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. EventBridge can be used to trigger the Lambda function, but it adds more complexity and cost. OpenSearch Service dashboard can be used for tracking, but it does not provide a comprehensive view of the security posture of the AWS accounts and resources.

AWS Config conformance packs

Introducing AWS Config conformance packs

Managing conformance packs across all accounts in your organization

Short Explanation: To meet the requirements, the DevOps engineer should update the SAML assertion to pass the user’s team name, update the IAM role’s trust policy to add an access-team session tag that has the team name, create an IAM permissions boundary in each account, and for each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.

Updating the SAML assertion to pass the user’s team name allows the DevOps engineer to use IAM tags to identify which team a user belongs to. This can help enforce fine-grained access control based on the user’s team membership1.

Updating the IAM role’s trust policy to add an access-team session tag that has the team name allows the DevOps engineer to use IAM condition keys to restrict access based on the session tag value2. For example, the DevOps engineer can use the aws:PrincipalTag condition key to match the access-team tag of the user with the access-team tag of the repository3.

Creating an IAM permissions boundary in each account allows the DevOps engineer to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries4. For example, the DevOps engineer can use a permissions boundary policy to limit the actions that a user can perform on CodeCommit repositories based on their access-team tag5.

For each CodeCommit repository, adding an access-team tag that has the value set to the name of the associated team allows the DevOps engineer to use resource tags to identify which team manages a repository. This can help enforce fine-grained access control based on the resource tag value6.

The other options are incorrect because:

Creating an approval rule template for each team in the Organizations management account is not a valid option, as approval rule templates are not supported by AWS Organizations. Approval rule templates are specific to CodeCommit and can only be associated with one or more repositories in the same AWS Region where they are created7.

Creating an approval rule template for each account is not a valid option, as approval rule templates are not designed to restrict access to modify branches. Approval rule templates are designed to require approvals from specified users or groups before merging pull requests8.

Attaching an SCP to the accounts is not a valid option, as SCPs are not designed to restrict access based on tags. SCPs are designed to restrict access based on service actions and resources across all users and roles in an organization’s account9.

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

RDS Multi-AZ with cross-Region read replicas provides synchronous replication with near-zero data loss and supports fast failover with RPO < 1 min and RTO < 10 min.

Automation can promote replicas and update Route 53 CNAME to redirect traffic during failover.

Options B, C, and D rely on snapshots, backups, or DMS, which cannot guarantee such low RPO/RTO and require manual intervention or complex automation.

https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html

This solution will meet the requirements because it will use CloudFormation nested stacks and stack sets to deploy the templates more efficiently and consistently across multiple regions. Nested stacks allow the company to separate out common components and reuse templates, while stack sets allow the company to create stacks in multiple accounts and regions with a single template. The company can also use Amazon SNS to send notifications to the data engineering team whenever a change is made to the templates or the stacks. Amazon SNS is a service that allows you to publish messages to subscribers, such as email addresses, phone numbers, or other AWS services. By using Amazon SNS, the company can ensure that the data engineering team is aware of all changes to the templates and can take appropriate actions if needed. What is Amazon SNS? - Amazon Simple Notification Service

Deploy CloudWatch Agent + Fluent Bit (supported by Amazon EKS integration) to forward metrics and logs. Create CloudWatch Alarms for CPU/memory/node metrics and metric log filters for Autoscaler logs, triggering SNS notifications when anomalies occur. This pattern matches AWS guidance on “Monitoring EKS clusters with CloudWatch Container Insights and alarms.”

https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html#appspec-hooks-lambda

https://docs.aws.amazon.com/cli/latest/reference/cloudformation/continue-update-rollback.html For a specified stack that is in the UPDATE_ROLLBACK_FAILED state, continues rolling it back to the UPDATE_ROLLBACK_COMPLETE state. Depending on the cause of the failure, you can manually fix the error and continue the rollback. By continuing the rollback, you can return your stack to a working state (the UPDATE_ROLLBACK_COMPLETE state), and then try to update the stack again.

Amazon CloudWatch metric streams are designed to deliver metrics in near real time to downstream services like Amazon Data Firehose with minimal configuration and management overhead. By configuring a metric stream to include all metrics , you ensure that any newly created performance or custom metrics are automatically included without needing to update filters or code when namespaces or metrics change.

Option B uses a CloudWatch metric stream ? Firehose ? Lambda ? S3 pattern. Firehose natively supports invoking a Lambda function for in-flight transformation of the metric data before final delivery to S3. This satisfies the requirement to transform metrics before storing them and provides a fully managed, serverless pipeline with very little ongoing operational burden.

Option A mentions including metrics from “the application and the CloudWatch namespace,” which implies more manual selection and maintenance, potentially missing new metrics if not explicitly added. Options C and D work at the log level, not at the metric level, and would require building additional logic to derive metrics from logs. This is more complex and not aligned with “least operational overhead.”

Therefore, Option B is the most efficient and scalable solution.

AWS CodePipeline supports multiple stages including source, build, test, and deploy. The most efficient way to integrate automated testing is by adding an AWS CodeBuild action to the pipeline that runs the tests using a buildspec.yml file. CodeBuild can be configured to fail the pipeline automatically if tests fail, ensuring that deployments do not proceed to the staging environment. This pattern is directly supported and documented in AWS CodePipeline + CodeBuild CI/CD architecture guidance.

The best solution is to use S3 Object Lambda1, which allows you to add your own code to S3 GET, LIST, and HEAD requests to modify and process data as it is returned to an application2. This way, you can redact the data differently for each application without creating and storing multiple copies of the data or running proxies.

The other solutions are less efficient or scalable because they require replicating the data to multiple buckets, streaming the data through Kinesis, or storing the data in S3 access points.

 1: Amazon S3 Features | Object Lambda | AWS 2: Transforming objects with S3 Object Lambda - Amazon Simple Storage Service

This solution would allow the company to automate the process of updating the SDK and making it available to web clients. By adding a CodePipeline action immediately after the deployment stage of the API, the Lambda function will be invoked automatically each time the API is updated. The Lambda function should be able to download the new SDK from API Gateway, upload it to the S3 bucket and also create a CloudFront invalidation for the SDK path so that the latest version of the SDK is available for the web clients. This is the most straight forward solution and it will meet the requirements.

EKS supports control plane logging sent directly to CloudWatch Logs.

CloudWatch Container Insights provides metrics and logs collection for nodes and containers automatically with minimal setup.

CloudWatch Logs Insights offers powerful querying and visualization integrated in AWS without managing additional infrastructure.

Options A and C require deploying and managing additional components (Logstash, Event Exporter, S3, Athena).

Option D adds complexity with OpenTelemetry and Redshift, which is more operationally heavy.

https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/ Private link is the best option because Transit Gateway doesn ' t support overlapping CIDR ranges.

The requirement is to deploy a stateless application with multi-Region fault tolerance , ensuring high availability even if an entire AWS Region becomes unavailable. For this design, traffic must be actively served from both Regions, not only during a failure event.

Option C correctly implements an active-active, multi-Region architecture . By deploying the application to both EKS clusters , each Region is capable of serving traffic independently. Using Amazon Route 53 weighted routing , traffic is distributed across both Application Load Balancers, allowing both Regions to handle requests simultaneously. If one Region becomes unhealthy, Route 53 health checks can stop routing traffic to that Region, maintaining availability.

Implementing Kubernetes readiness and liveness probes ensures that traffic is only sent to healthy pods within each cluster. This provides fault tolerance at both the container level (pod health) and the Regional level (Route 53 routing).

Option A uses a failover routing policy, which results in an active-passive design. While fault tolerant, it does not utilize both Regions simultaneously and provides slower recovery during Region failure. Options B and D deploy the application only in the primary Region, which does not meet multi-Region fault tolerance requirements.

Therefore, Option C delivers the most resilient, highly available, and AWS-recommended architecture for a stateless, multi-Region EKS application.

Even if AmazonSSMManagedlnstanceCore is a managed policy and not an IAM role I will go with C because this policy is to be attached to an IAM role for EC2 to access System Manager.

ECS container instances must have an IAM role that trusts ECS (the ecs-tasks.amazonaws.com principal) to assume permissions for CloudWatch logging. Without this trust relationship, ECS cannot push logs even if the permissions are present.

This solution will meet the requirements because it will use Amazon S3 as a common data lake for both the application logs and the API logs. Amazon S3 is a service that provides scalable, durable, and secure object storage for any type of data. You can use the Amazon CloudWatch agent to send logs from your EC2 instances to S3 buckets, and use AWS CloudTrail to deliver the API logs to S3 buckets as well. You can also use Amazon Athena to query both sets of logs in S3 using standard SQL, without loading or transforming them. Athena is a serverless interactive query service that allows you to analyze data in S3 using a variety of data formats, such as JSON, CSV, Parquet, and ORC.

The best solution to implement failover for the application is to use CloudFront origin groups. Origin groups allow CloudFront to automatically switch to a secondary origin when the primary origin is unavailable or returns specific HTTP status codes that indicate a failure1. This way, CloudFront can serve the requests from the secondary ALB in the secondary Region without any delay or redirection. To set up origin groups, the DevOps engineer needs to create a new origin on the distribution for the secondary ALB, create a new origin group with the original ALB as the primary origin and the secondary ALB as the secondary origin, and configure the origin group to fail over for HTTP 5xx status codes. Then, the DevOps engineer needs to update the default behavior to use the origin group instead of the single origin2.

The other options are not as effective or efficient as the solution in option B. Option A is not suitable because creating a second CloudFront distribution will increase the complexity and cost of the application. Moreover, using Route 53 alias records with a failover policy will introduce some delay in detecting and switching to the secondary CloudFront distribution, which may not meet the zero-second RTO requirement. Option C is not feasible because CloudFront does not support using Route 53 alias records as origins3. Option D is not advisable because using a CloudFront function to redirect the requests to the secondary ALB will add an extra round-trip and latency to the failover process, which may also not meet the zero-second RTO requirement.

1: Optimizing high availability with CloudFront origin failover - Amazon CloudFront

2: Creating an origin group - Amazon CloudFront

3: Values That You Specify When You Create or Update a Web Distribution - Amazon CloudFront

? Step 1: Centralizing Image Scanning in a Shared Services Account

The first requirement is to centralize the image scanning process, ensuring pre-scan and post-scan images are stored separately. This can be achieved by creating separate pre-scan and post-scan repositories in the shared services account, with the appropriate resource-based policies to control access.

Action: Create separate ECR repositories for pre-scan and post-scan images in the shared services account. Configure resource-based policies to allow write access to pre-scan repositories and read access to post-scan repositories.

Why: This ensures that images are isolated before and after the scan, following the compliance requirements.

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises. SSM parameter store and AWS Secret manager are both a secure option. However, Secrets manager is more flexible and has more options like password generation. Reference: https://www.1strategy.com/blog/2019/02/28/aws-parameter-store-vs-aws-secrets-manager/

This solution will meet the requirements in the most operationally efficient manner because it will use CloudWatch Logs destination to aggregate the log groups from all the accounts to a single S3 bucket in the logging account. However, unlike option A, this solution will create a CloudWatch Logs destination for each region, instead of a single destination for all regions. This will improve the performance and reliability of the log delivery, as it will avoid cross-region data transfer and latency issues. Moreover, this solution will use an Amazon Kinesis data stream and an Amazon Kinesis Data Firehose delivery stream for each region, instead of a single stream for all regions. This will also improve the scalability and throughput of the log delivery, as it will avoid bottlenecks and throttling issues that may occur with a single stream.

This solution will meet the requirements because it will reduce the number of errorless records that are sent to the dead-letter queue. When you configure the setting to split the batch when an error occurs, Lambda will retry only the records that caused the error, instead of retrying the entire batch. This way, the records that have no data errors and have already been processed by the legacy REST API will not be retried and sent to the dead-letter queue unnecessarily.

https://docs.aws.amazon.com/lambda/latest/dg/with-kinesis.html

You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.

Allow polices are passing down to children ONLY if they don ' t have an allow policy.

Deny policies always pass down to children.

That ' s why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it ' s not A. It ' s not D because it restricts the wrong OU.

EC2 Image Builder is the recommended AWS-native service for automating the creation, validation, and distribution of AMIs. It integrates directly with AWS Organizations, allowing AMIs to be automatically shared with all accounts. The service also supports scheduled builds (e.g., monthly), significantly reducing operational overhead. This design is referenced in AWS documentation: “Automate OS image creation and distribution securely across multiple accounts using EC2 Image Builder.”

Amazon CloudWatch Logs now supports data protection policies that can mask sensitive data in logs at ingestion time using custom data identifiers. By creating a custom data identifier matching the employee ID pattern (Emp-\d{6}), the administrator can mask those patterns in new log entries automatically.

Assigning an IAM policy that denies the logs:Unmask action to engineers prevents them from seeing unmasked sensitive data, enforcing least privilege access.

This approach is operationally efficient because it uses built-in CloudWatch Logs data protection capabilities without the need for complex custom code or manual log filtering.

Option C requires writing and managing Lambda functions for log transformation, increasing operational overhead. Option D is more complex and reactive rather than preventing the sensitive data exposure. Option B incorrectly references NotAction and managed identifiers that may not match the custom pattern.

The current design colocates the web tier, database, and cache on the same EC2 instances. This causes resource contention and makes it difficult to scale each layer independently. The correct solution is to separate these concerns into independently scalable managed services.

Option D uses an Application Load Balancer (ALB) in front of an Auto Scaling group for the web application. ALB is designed for HTTP/HTTPS traffic, supports path-based and host-based routing, and can spread load evenly across multiple instances and Availability Zones, eliminating the issue where one instance is overloaded.

The database is migrated to Amazon Aurora with Multi-AZ , which provides high availability, automated failover, and managed backups. Aurora offloads database management and ensures consistent performance.

For caching, Option D introduces Amazon ElastiCache for Redis , a managed in-memory cache that is purpose-built for low-latency reads, independent scaling, and high availability through replication and clustering.

Option A and C misuse NLB for HTTP traffic or for Redis exposure and introduce unnecessary complexity. Option B keeps Redis on EC2 (via NLB + ASG in a single AZ), which reduces availability and does not leverage managed caching.

Thus, Option D best separates tiers and improves performance and availability.

Deployment of config.txt file based on the appspec.yml:

The appspec.yml file specifies that config/config.txt should be copied to /usr/local/src/config.txt.

The source: / directive in the appspec.yml indicates that the entire directory structure starting from the root of the application source should be copied to the specified destination, which is /var/www/html.

Result of the Deployment:

The config.txt file will be specifically deployed to /usr/local/src/config.txt as per the explicit file mapping.

The entire directory structure including application/web will be copied to /var/www/html, but this does not include config/config.txt since it has a specific destination defined.

Thus, the config.txt file will be deployed only to /usr/local/src/config.txt.

Therefore, the correct answer is:

C. The config.txt file will be deployed to only /usr/local/src/config.txt.

AWS CodeDeploy supports deployment of both Lambda functions and ECS services with native integration.

It provides deployment strategies such as canary deployments for Lambda and blue/green deployments for ECS, which minimize downtime and risk.

CodeDeploy automates the deployment process, which reduces manual effort and improves consistency.

AWS Systems Manager Parameter Store is a simple, managed solution for storing configuration data securely and at scale.

Option A uses CloudFormation stack updates with resource replacement, which can cause downtime and is less flexible for minimizing downtime compared to CodeDeploy’s deployment strategies.

Option C adds unnecessary orchestration complexity with Step Functions and cross-region deployments, increasing deployment effort.

Option D’s all-at-once deployments for Lambda and rolling updates for ECS do not minimize downtime as effectively as canary and blue/green strategies. Hence, option B meets the requirement with the least deployment effort and maximizes automation and availability.

Reference from AWS Official Documentation:

Deploying Lambda Functions with CodeDeploy: " AWS CodeDeploy supports canary and linear deployment strategies for AWS Lambda functions to reduce deployment risk. " (CodeDeploy Lambda Deployment)

Deploying ECS Services with CodeDeploy Blue/Green: " CodeDeploy supports blue/green deployments for ECS to minimize downtime during service updates. " (CodeDeploy ECS Blue/Green)

AWS Systems Manager Parameter Store: " Parameter Store provides secure, hierarchical storage for configuration data management. " (Systems Manager Parameter Store)

The requirement is specifically to validate critical user journeys and API endpoints after each deployment and before routing traffic . The most direct AWS-native way to test “real” user flows and endpoints automatically is CloudWatch Synthetics canaries , which can run scripted checks (HTTP/API and browser-style journeys).

Option D minimizes operational overhead because it uses a straightforward managed pattern:

Canaries run against the new deployment to validate endpoints and journeys.

CloudWatch alarms trigger when the canaries fail (objective signal of broken journeys/APIs).

The solution then uses alarm-driven rollback (the intent here is automated rollback without writing custom analysis code or managing multi-service workflows).

Why the other options have more overhead or miss the “user journey/API validation” goal as cleanly:

A focuses on ECS task states (healthy/unhealthy tasks). That can detect deployment failures, but it doesn’t validate critical user journeys or API correctness . Also requires custom Lambda logic for analysis + rollback control.

B adds even more moving parts (Application Insights + alarms + EventBridge + Step Functions). Also, monitoring KPIs is not the same as explicitly validating journeys/endpoints before routing traffic .

C is the highest overhead: canaries plus X-Ray instrumentation across all microservices, trace exporting, custom Lambda analysis, etc. That’s heavy compared to canary + alarm.

So D best matches: “validate journeys/endpoints” + “automated detect + rollback” with least operational overhead by relying on managed canaries and alarms rather than custom code/workflows.

The correct answer is B and C. Option B is correct because inviting the acquired company’s AWS accounts to join the organization and creating the OrganizationAccountAccessRole IAM role in the invited accounts allows the management account to assume the role and gain full administrative access to the member accounts. Option C is correct because using AWS Security Hub to collect and group findings across all accounts enables the DevOps team to monitor and improve the security posture of the organization. Security Hub can automatically detect new accounts as the accounts are added to the organization and enable Security Hub for them. Option A is incorrect because creating an SCP that has full administrative privileges and attaching it to the management account does not grant the management account access to the member accounts. SCPs are used to restrict the permissions of the member accounts, not to grant permissions to the management account. Option D is incorrect because using AWS Firewall Manager to collect and group findings across all accounts is not a valid use case for Firewall Manager. Firewall Manager is used to centrally configure and manage firewall rules across the organization, not to collect and group security findings. Option E is incorrect because using Amazon Inspector to collect and group findings across all accounts is not a valid use case for Amazon Inspector. Amazon Inspector is used to assess the security and compliance of applications running on Amazon EC2 instances, not to collect and group security findings across accounts. References:

Inviting an AWS account to join your organization

Enabling and disabling AWS Security Hub

Service control policies

AWS Firewall Manager

Amazon Inspector

Step 1: Storing Docker Images in Amazon ECRDocker images can be large, and storing them in a centralized, scalable location can greatly reduce build times. Amazon Elastic Container Registry (ECR) is a fully managed container registry that stores, manages, and deploys Docker container images.

Action: Store the Docker images in an ECR repository.

Why: Storing Docker images in ECR ensures that Docker images can be reused across multiple builds, improving build performance by avoiding the need to rebuild the images from scratch.

The requirement is simply: review changes before production deployment , with the least operational overhead .

B is the lightest change: adding a Manual approval (review) action in CodePipeline creates a controlled gate before the deploy stage. It requires no new repositories, no new services, and no custom code—just pipeline configuration.

Why not the others:

A introduces additional moving parts (Git repo integration, PR workflow management, and CloudFormation Git sync). That’s useful, but it’s more operational overhead than necessary to satisfy “review before deploy.”

C requires custom Lambda logic to inspect templates and decide whether to proceed—more code to write, run, secure, and maintain.

D adds both Git integration and a manual approval step—again more overhead than just adding the approval gate.

So B best meets the requirement with the least operational effort: a simple manual approval stage in the pipeline before production deployment.

? Create an Amazon Elastic File System (Amazon EFS) File System with Targets in Multiple Availability Zones:

Amazon EFS provides a scalable and highly available network file system that supports the NFS protocol. EFS is ideal for Linux instances as it allows multiple instances to read and write data concurrently.

Setting up EFS with targets in multiple Availability Zones ensures high availability and durability.

Use routing configuration on an alias to send a portion of traffic to a second function version. For example, you can reduce the risk of deploying a new version by configuring the alias to send most of the traffic to the existing version, and only a small percentage of traffic to the new version. https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

The following are the steps involved in the deploy stage configuration that will meet the requirements:

Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions.

Publish a new version of the functions, and include Amazon CloudWatch alarms.

Update the production alias to point to the new version.

Configure rollbacks to occur when an alarm is in the ALARM state.

This configuration will help to reduce the customer impact of an unsuccessful deployment by deploying the new version of the functions to a staging environment first. This will allow the DevOps engineer to test the new version of the functions before deploying it to production.

The configuration will also help to monitor for issues by including Amazon CloudWatch alarms. These alarms will alert the DevOps engineer if there are any problems with the new version of the functions.

Failed interactive logins such as ConsoleLogin are part of CloudTrail management events , not data events. The most direct, low-overhead design is to stream management events to CloudWatch Logs , then create a metric filter that matches failed ConsoleLogin events (for example, $.eventName = " ConsoleLogin " and $.responseElements.ConsoleLogin = " Failure " or $.errorMessage ). That metric is then used as the basis for a CloudWatch alarm . When the alarm threshold (e.g., N failures in a period) is breached, the alarm triggers and sends a notification to the already created SNS topic, which alerts the security team.

Option A follows this recommended pattern: CloudTrail ? CloudWatch Logs ? Metric Filter ? Alarm ? SNS. It is fully managed, near real-time, and requires minimal custom logic.

Option B uses Athena with EventBridge to periodically query CloudTrail logs in S3. This introduces more moving parts, more configuration, higher latency, and more operational overhead.

Options C and D incorrectly reference CloudTrail data events and S3 event notifications, which are not the right mechanisms to detect ConsoleLogin failures. Console logins are not S3 events, and using data events would miss these management actions.

Therefore, Option A is the correct and simplest solution.

The requirement is to prevent any product files containing unannounced product IDs (prefixed with a specific UUID) from being stored in the production S3 bucket that users can access.

To achieve this, a best practice is to use a staging bucket as a control point before files go to production, combined with Amazon Macie’s data classification capabilities.

Creating a custom data identifier in Amazon Macie allows precise detection of product IDs starting with the specific UUID, which default managed identifiers will not detect.

By running a Macie sensitive data discovery job on the staging bucket, you can identify files containing these sensitive product IDs.

Only files without findings (i.e., files that do not contain unannounced product IDs) are copied to the production bucket, ensuring no sensitive information is exposed. This approach aligns with AWS best practices for data classification and staged deployment workflows, maximizing control and reducing risk. Using Macie on the production bucket directly (options B and D) risks exposing sensitive data before detection and deletion. Option C uses managed data identifiers, which will likely not detect the custom UUID prefix pattern.

Reference from AWS Official Documentation and Study Guide:

Amazon Macie Custom Data Identifiers: " You can create custom data identifiers in Amazon Macie to find sensitive data that is unique to your organization. " (Amazon Macie User Guide)

Data Security Best Practices: " Use staging environments to inspect and sanitize data before moving it to production to reduce exposure risks. " (AWS Security Best Practices)

 The UserData property of the AWS: AutoScaling: LaunchConfiguration resource can be used to specify a script that runs when the EC2 instances are launched. This script can include the ECS cluster name as an environment variable for the ECS agent running on the EC2 instances. This way, the EC2 instances will register with the correct ECS cluster. Option A is incorrect because the AWS: ECS: Cluster resource does not have a property to reference the EC2 instances. Option C is incorrect because the EC2 instances are launched by the Auto Scaling group, not by the AWS: EC2: Instance resource. Option D is incorrect because using a custom resource and a Lambda function is unnecessary and overly complex for this scenario. References: AWS::AutoScaling::LaunchConfiguration, Amazon ECS Container Agent Configuration

This solution will meet the requirements because it will use a CloudFormation custom resource to execute custom logic during the stack set operation. A custom resource is a resource that you define in your template and that is associated with an AWS Lambda function. The Lambda function runs whenever the custom resource is created, updated, or deleted, and can perform any actions that are supported by the AWS SDK. In this case, the Lambda function can use the GuardDuty API to check whether GuardDuty is already enabled in each target account, and if not, enable it. This way, the DevOps engineer can avoid deploying the stack set to accounts that already have GuardDuty enabled, and prevent failure during the deployment.

Option A is correct because using batch writes to write multiple log events in a single write operation is a recommended practice for optimizing the performance and cost of data ingestion in Timestream. Batch writes can reduce the number of network round trips and API calls, and can also take advantage of parallel processing by Timestream. Batch writes can also improve the compression ratio of data in the memory store and the magnetic store, which can reduce the storage costs and improve the query performance1.

Option B is incorrect because writing each log event as a single write operation is not a recommended practice for optimizing the performance and cost of data ingestion in Timestream. Writing each log event as a single write operation would increase the number of network round trips and API calls, and would also reduce the compression ratio of data in the memory store and the magnetic store. This would increase the storage costs and degrade the query performance1.

Option C is incorrect because treating each log as a single-measure record is not a recommended practice for optimizing the query performance in Timestream. Treating each log as a single-measure record would result in creating multiple records for each timestamp, which would increase the storage size and the query latency. Moreover, treating each log as a single-measure record would require using joins to query multiple measures for the same timestamp, which would add complexity and overhead to the query processing2.

Option D is correct because treating each log as a multi-measure record is a recommended practice for optimizing the query performance in Timestream. Treating each log as a multi-measure record would result in creating a single record for each timestamp, which would reduce the storage size and the query latency. Moreover, treating each log as a multi-measure record would allow querying multiple measures for the same timestamp without using joins, which would simplify and speed up the query processing2.

Option E is incorrect because configuring the memory store retention period to be longer than the magnetic store retention period is not a valid option in Timestream. The memory store retention period must always be shorter than or equal to the magnetic store retention period. This ensures that data is moved from the memory store to the magnetic store before it expires out of the memory store3.

Option F is correct because configuring the memory store retention period to be shorter than the magnetic store retention period is a valid option in Timestream. The memory store retention period determines how long data is kept in the memory store, which is optimized for fast point-in-time queries. The magnetic store retention period determines how long data is kept in the magnetic store, which is optimized for fast analytical queries. By configuring these retention periods appropriately, you can balance your storage costs and query performance according to your application needs3.

Option A is incorrect because increasing the memory of the Lambda function does not address the root cause of the problem, which is that the Lambda function is not triggered by the S3 event source. Increasing the memory of the Lambda function might improve its performance or reduce its execution time, but it does not affect its invocation. Moreover, increasing the memory of the Lambda function might incur higher costs, as Lambda charges based on the amount of memory allocated to the function.

Option B is correct because creating a resource policy on the Lambda function to grant Amazon S3 the permission to invoke the Lambda function for the S3 bucket is a necessary step to configure an S3 event source. A resource policy is a JSON document that defines who can access a Lambda resource and under what conditions. By granting Amazon S3 permission to invoke the Lambda function, the company ensures that the Lambda function runs when a new object is created or an existing object is modified in the S3 bucket1.

Option C is incorrect because configuring an Amazon Simple Queue Service (Amazon SQS) queue as an On-Failure destination for the Lambda function does not help with triggering the Lambda function. An On-Failure destination is a feature that allows Lambda to send events to another service, such as SQS or Amazon Simple Notification Service (Amazon SNS), when a function invocation fails. However, this feature only applies to asynchronous invocations, and S3 event sources use synchronous invocations. Therefore, configuring an SQS queue as an On-Failure destination would have no effect on the problem.

Option D is incorrect because provisioning space in the /tmp folder of the Lambda function does not address the root cause of the problem, which is that the Lambda function is not triggered by the S3 event source. Provisioning space in the /tmp folder of the Lambda function might help with processing large files from the S3 bucket, as it provides temporary storage for up to 512 MB of data. However, it does not affect the invocation of the Lambda function.

The company’s requirements span preventive governance , account baseline configuration , and continuous compliance monitoring , all with minimal operational overhead. AWS-native, organization-level services are the most efficient way to meet these goals.

To ensure that new accounts do not retain default VPCs and that development is restricted to specific Regions , AWS Control Tower is the correct foundation. However, Control Tower alone does not remove default VPCs. By installing Customizations for AWS Control Tower (CfCT) , the company can automatically deploy OU-scoped CloudFormation templates during account provisioning. A simple CloudFormation template can delete default VPCs in all Regions, while Control Tower-managed Region deny guardrails (SCPs) restrict access to only approved Regions. This approach is declarative, repeatable, and tightly integrated with account creation workflows, resulting in low operational overhead.

For CIS AWS Foundations Benchmark compliance monitoring , AWS Security Hub is the purpose-built service. Enabling Security Hub at the organization level and selecting the CIS benchmark automatically evaluates all member accounts against CIS controls and continuously reports findings. This provides centralized visibility and compliance reporting without custom rule development.

Option C introduces custom Lambda automation and EventBridge logic, increasing maintenance burden. Option E is incorrect because Control Tower does not provide full CIS benchmark monitoring; it only offers related detective guardrails.

Therefore, Option B (Control Tower + CfCT) and Option D (Security Hub with CIS benchmark) together provide the most efficient, scalable, and AWS-recommended solution.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

The requirement is to log and analyze Kubernetes control plane activity, including API requests, and to monitor container performance on the worker nodes with the least operational overhead.

Option B is correct because:

Amazon EKS control plane logging can send control plane logs, including API server logs, to Amazon CloudWatch.

CloudWatch Container Insights provides monitoring and performance visibility for containers, pods, nodes, and clusters.

CloudWatch Logs Insights can be used to query and analyze both control plane and node-related logs.

This is the most managed and lowest-overhead solution among the options.

Why the other options are incorrect:

A. CloudTrail is not the primary solution for Kubernetes control plane logs such as API server logs, and deploying Logstash increases operational overhead significantly.

C. Sending logs to Amazon S3 and analyzing them with Athena and QuickSight is more operationally complex and less direct than using native CloudWatch integrations.

D. AWS Distro for OpenTelemetry with Firehose and Redshift adds substantial complexity and operational overhead compared to native EKS and CloudWatch capabilities.

The question focuses on detecting supply chain attacks that bypass CI/CD controls and result in malicious runtime behavior in the deployed serverless application. This requires runtime threat detection , not just static scanning or infrastructure validation.

Amazon GuardDuty is AWS’s managed threat detection service. GuardDuty now includes Lambda Protection , which analyzes Lambda function behavior, including network calls, IAM API usage, and other signals to detect compromised functions, crypto-mining, data exfiltration, and other malicious activity. GuardDuty automatically ingests CloudTrail, VPC Flow Logs (if enabled), and other telemetry without requiring code changes or agents. Findings are published and can be routed to Amazon EventBridge for near real-time notifications or automated remediation.

Option A (AWS WAF) only inspects HTTP requests to API Gateway and is focused on known bad patterns, not deeper behavioral anomalies. Option C (CloudFormation Guard) is focused on infrastructure-as-code validation in the pipeline, which explicitly does not help once malicious code is deployed. Option D (Network Firewall with Emerging Threats rules) protects VPC traffic, but serverless components like Lambda and API Gateway may not all traverse that firewall, and it is not targeted at function-level behavior.

Hence, enabling GuardDuty with Lambda Protection and using EventBridge notifications is the correct solution.

The correct answer is C. Allowing users to deploy CloudFormation stacks using AWS Service Catalog only and enforcing the use of a launch constraint is the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. AWS Service Catalog is a service that enables organizations to create and manage catalogs of IT services that are approved for use on AWS. A launch constraint is a rule that specifies the role that AWS Service Catalog assumes when launching a product. By using a launch constraint, the DevOps engineer can control the permissions that the users have when launching a product. Using AWS Config rules to detect when resources have drifted from their expected state is the best way to automate the monitoring of the resources. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config rules are custom or managed rules that AWS Config uses to evaluate whether your AWS resources comply with your desired configurations. By using AWS Config rules, the DevOps engineer can track the changes in the resources and identify any non-compliant resources.

Option A is incorrect because allowing users to deploy CloudFormation stacks using a CloudFormation service role only is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. A CloudFormation service role is an IAM role that CloudFormation assumes to create, update, or delete the stack resources. By using a CloudFormation service role, the DevOps engineer can control the permissions that CloudFormation has when acting on the resources, but not the permissions that the users have when launching a stack. Therefore, option A does not prevent the users from launching resources that are not approved by the company. Using CloudFormation drift detection to detect when resources have drifted from their expected state is a valid way to monitor the resources, but it is not as automated and scalable as using AWS Config rules. CloudFormation drift detection is a feature that enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. To use this feature, the DevOps engineer would need to manually initiate a drift detection operation on the stack or the stack resources, and then view the drift status and details in the CloudFormation console or API.

Option B is incorrect because allowing users to deploy CloudFormation stacks using a CloudFormation service role only is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only, as explained in option A. Using AWS Config rules to detect when resources have drifted from their expected state is a valid way to monitor the resources, as explained in option C.

Option D is incorrect because enforcing the use of a template constraint is not the best way to ensure that the internal business teams launch resources through pre-approved CloudFormation templates only. A template constraint is a rule that defines the values or properties that users can specify when launching a product. By using a template constraint, the DevOps engineer can control the parameters that the users can provide when launching a product, but not the permissions that the users have when launching a product. Therefore, option D does not prevent the users from launching resources that are not approved by the company. Using Amazon EventBridge notifications to detect when resources have drifted from their expected state is a less reliable and consistent solution than using AWS Config rules. Amazon EventBridge is a service that enables you to connect your applications with data from a variety of sources. Amazon EventBridge can deliver a stream of real-time data from event sources, such as AWS services, and route that data to targets, such as AWS Lambda functions. However, to use this solution, the DevOps engineer would need to configure the event source, the event bus, the event rule, and the event target for each resource type that needs to be monitored, which is more complex and error-prone than using AWS Config rules.

The operating system (Amazon Linux) uses yum for package management. To use both the default and a custom repository, the simplest method is to add the custom repository configuration file under /etc/yum.repos.d/ using the yum-config-manager CLI, and enable it. This allows the system to access both repositories during patching automatically.

This approach requires minimal setup and effort and leverages the existing yum patching mechanisms.

Option A and D involve managing multiple patch baselines in Systems Manager Patch Manager, which does not natively support custom repositories — it relies on the underlying OS package manager.

Option B (Direct Connect) is not necessary unless network connectivity is an issue.

Thus, option C meets the requirement with the least effort.

The requirement is to create automation that deletes unattached EBS volumes that have been unattached for 14 days. To do this, the DevOps engineer needs to use the following steps:

Create an Amazon CloudWatch Events rule to execute an AWS Lambda function daily. CloudWatch Events is a service that enables event-driven architectures by delivering events from various sources to targets. Lambda is a service that lets you run code without provisioning or managing servers. By creating a CloudWatch Events rule that executes a Lambda function daily, the DevOps engineer can schedule a recurring task to check and delete unattached EBS volumes.

The Lambda function should find unattached EBS volumes and tag them with the current date, and delete unattached volumes that have tags with dates that are more than 14 days old. The Lambda function can use the EC2 API to list and filter unattached EBS volumes based on their state and tags. The function can then tag each unattached volume with the current date using the create-tags command. The function can also compare the tag value with the current date and delete any unattached volume that has been tagged more than 14 days ago using the delete-volume command.

The solution that meets the requirements is to use EC2 Image Builder to create a container image pipeline, use Amazon ECR as the target repository, turn on enhanced scanning on the ECR repository, create an Amazon EventBridge rule to capture an Inspector2 finding event, and use the event to invoke the image pipeline. Re-upload the container to the repository.

This solution will continuously monitor the container repository for vulnerabilities using enhanced scanning, which is a feature of Amazon ECR that provides detailed information and guidance on how to fix security issues found in your container images. Enhanced scanning uses Inspector2, a security assessment service that integrates with Amazon ECR and generates findings for any vulnerabilities detected in your images. You can use Amazon EventBridge to create a rule that triggers an action when an Inspector2 finding event occurs. The action can be to invoke an EC2 Image Builder pipeline, which is a service that automates the creation of container images. The pipeline can use the latest patches and updates to build a new container image and upload it to the same ECR repository, replacing the vulnerable image.

The other options are not correct because they do not meet all the requirements or use services that are not relevant for the scenario.

Option B is not correct because it uses Amazon GuardDuty Malware Protection, which is a feature of GuardDuty that detects malicious activity and unauthorized behavior on your AWS accounts and resources. GuardDuty does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.

Option C is not correct because it uses basic scanning on the ECR repository, which only provides a summary of the vulnerabilities found in your container images. Basic scanning does not use Inspector2 or generate findings that can be captured by Amazon EventBridge. Moreover, basic scanning does not provide guidance on how to fix the vulnerabilities.

Option D is not correct because it uses AWS Systems Manager Compliance, which is a feature of Systems Manager that helps you monitor and manage the compliance status of your AWS resources based on AWS Config rules and AWS Security Hub standards. Systems Manager Compliance does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.

To meet the requirements of deploying a workload on several hundred EC2 instances with least-privilege permissions and temporary security credentials, the company should use an IAM role and an instance profile. An IAM role is a way to grant permissions to an entity that you trust, such as an EC2 instance. An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. By using an IAM role and an instance profile, the EC2 instances can automatically receive temporary security credentials from the AWS Security Token Service (STS) and use them to access the S3 buckets. This way, the company does not need to manage or rotate any long-term credentials, such as IAM users or access keys.

To use an IAM role and an instance profile, the company should create an IAM role that has the appropriate permissions for S3 buckets. The permissions should allow the EC2 instances to read from the source S3 bucket and write to the destination S3 bucket. The company should also create a trust policy for the IAM role that specifies that EC2 is allowed to assume the role. Then, the company should add the IAM role to an instance profile. An instance profile can have only one IAM role, so the company does not need to create multiple roles or profiles for this scenario.

Next, the company should update the launch template to include the IAM instance profile. A launch template is a way to save launch parameters for EC2 instances, such as the instance type, security group, user data, and IAM instance profile. By using a launch template, the company can ensure that all EC2 instances in the Auto Scaling group have consistent configuration and permissions. The company should specify the name or ARN of the IAM instance profile in the launch template. This way, when the Auto Scaling group launches new EC2 instances based on the launch template, they will automatically receive the IAM role and its permissions through the instance profile.

The other options are not correct because they do not meet the requirements or follow best practices. Creating an IAM user and generating a secret key and token is not a good option because it involves managing long-term credentials that need to be rotated regularly. Moreover, embedding credentials in user data is not secure because user data is visible to anyone who can describe the EC2 instance. Creating a trust anchor and profile is not a valid option because trust anchors are used for certificate-based authentication, not for IAM roles or instance profiles. Modifying user data to use a new secret key and token is also not a good option because it requires updating user data every time the credentials change, which is not scalable or efficient.

1: AWS Certified DevOps Engineer - Professional Certification | AWS Certification | AWS

2: DevOps Resources - Amazon Web Services (AWS)

3: Exam Readiness: AWS Certified DevOps Engineer - Professional

IAM Roles for Amazon EC2 - AWS Identity and Access Management

Working with Instance Profiles - AWS Identity and Access Management

Launching an Instance Using a Launch Template - Amazon Elastic Compute Cloud

Temporary Security Credentials - AWS Identity and Access Management

To scale microservice Pods based on CPU utilization, the Kubernetes Horizontal Pod Autoscaler (HPA) uses the Kubernetes Metrics Server to monitor resource usage and automatically adjusts the number of Pods. However, scaling Pods may require additional nodes if the current node capacity is insufficient.

The Cluster Autoscaler works with EKS managed node groups to add or remove worker nodes based on pending Pod requirements and resource usage.

By deploying both HPA and Cluster Autoscaler, the system can automatically scale Pods and add nodes as necessary, ensuring efficient resource utilization and availability.

Configuring the Cluster Autoscaler with auto-discovery allows it to manage node groups without manual intervention, reducing operational effort.

Option A only scales nodes based on node CPU utilization, not Pods.

Option B uses VPA recommender mode, which only suggests resource changes and does not scale automatically.

Option C involves manual updates and is not automated scaling. Therefore, option D provides the most operationally efficient, fully automated scaling solution.

Reference from AWS Official Documentation:

Kubernetes Horizontal Pod Autoscaler: " HPA automatically scales the number of Pods based on observed CPU utilization or other metrics. " (Kubernetes HPA)

Cluster Autoscaler on Amazon EKS: " The Cluster Autoscaler automatically adjusts the size of the Kubernetes cluster when there are Pods that fail to run due to insufficient resources or when nodes in the cluster are underutilized. " (AWS EKS Cluster Autoscaler)

The correct answer is A.

Option A is correct because it meets the requirements with the most operational efficiency. Updating the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction is a simple and cost-effective way to collect the data needed for the dashboard. Using CloudWatch Logs Insights to query the log group and to visualize the results in a pie chart format is also a convenient and integrated solution that leverages the existing CloudWatch dashboards. Attaching the results to the desired CloudWatch dashboard is straightforward and does not require any additional steps or services.

Option B is incorrect because it introduces unnecessary complexity and cost. Updating the ecommerce application to emit a JSON object to an Amazon S3 bucket for each processed transaction is a valid way to store the data, but it requires creating and managing an S3 bucket and its permissions. Using Amazon Athena to query the S3 bucket and to visualize the results in a pie chart format is also a valid way to analyze the data, but it incurs charges based on the amount of data scanned by each query. Exporting the results from Athena and attaching them to the desired CloudWatch dashboard is also an extra step that adds more overhead and latency.

Option C is incorrect because it uses AWS X-Ray for an inappropriate purpose. Updating the ecommerce application to use AWS X-Ray for instrumentation is a good practice for monitoring and tracing distributed applications, but it is not designed for aggregating product transaction details. Creating a new X-Ray subsegment and adding an annotation for each processed transaction is possible, but it would clutter the X-Ray service map and make it harder to debug performance issues. Using X-Ray traces to query the data and to visualize the results in a pie chart format is also possible, but it would require custom code and logic that are not supported by X-Ray natively. Attaching the results to the desired CloudWatch dashboard is also not supported by X-Ray directly, and would require additional steps or services.

Option D is incorrect because it introduces unnecessary complexity and cost. Updating the ecommerce application to emit a JSON object to a CloudWatch log group for each processed transaction is a simple and cost-effective way to collect the data needed for the dashboard, as in option A. However, creating an AWS Lambda function to aggregate and write the results to Amazon DynamoDB is redundant, as CloudWatch Logs Insights can already perform aggregation queries on log data. Creating a Lambda subscription filter for the log file is also redundant, as CloudWatch Logs Insights can already access log data directly. Attaching the results to the desired CloudWatch dashboard would also require additional steps or services, as DynamoDB does not support native integration with CloudWatch dashboards.

" Note that the metric filter is different from a log insights query, where the experience is interactive and provides immediate search results for the user to investigate. No automatic action can be invoked from an insights query. Metric filters, on the other hand, will generate metric data in the form of a time series. This lets you create alarms that integrate into your ITSM processes, execute AWS Lambda functions, or even create anomaly detection models. " https://aws.amazon.com/blogs/mt/quantify-custom-application-metrics-with-amazon-cloudwatch-logs-and-metric-filters/

 To meet the requirements, the DevOps engineer needs to create a solution that joins all EC2 instances to the domain of the AWS Managed Microsoft AD directory with the most operational efficiency. The DevOps engineer can use AWS Systems Manager Automation to automate the domain join process using an existing runbook called AWS-JoinDirectoryServiceDomain. This runbook can join Windows instances to an AWS Managed Microsoft AD or Simple AD directory by using PowerShell commands. The DevOps engineer can create an AWS::SSM::Association resource in the CloudFormation template to associate the runbook with the EC2 instances that have specific tags. The tags can be defined in the launch template and propagated on launch to the EC2 instances. The DevOps engineer can also define the required parameters for the runbook, such as the directory ID, directory name, and organizational unit. The DevOps engineer can attach the AmazonSSMManagedlnstanceCore and AmazonSSMDirectoryServiceAccess AWS managed policies to the IAM role that the EC2 instances use. These policies grant the necessary permissions for Systems Manager and Directory Service operations.

The CfCT solution is designed for the exact purpose stated in the question. It extends the capabilities of AWS Control Tower by providing you with a way to automate resource provisioning and apply custom configurations across all AWS accounts created in the Control Tower environment. This enables the company to implement additional account customizations when new accounts are provisioned via the Control Tower Account Factory. The CloudFormation templates and SCPs can be added to a CodeCommit repository and will be automatically deployed to new accounts when they are created. This provides a highly automated solution that does not require manual intervention to deploy resources and SCPs to new accounts.

When using the awslogs log driver with Amazon ECS on EC2, CloudWatch Logs permissions must be granted to the ECS container instance IAM role , not the task definition or infrastructure role. The ECS agent running on the EC2 instances is responsible for creating log streams and pushing log events to Amazon CloudWatch Logs on behalf of the containers.

In this scenario, the task definition is correctly configured to automatically create the log group (awslogs-create-group: true) and send logs to the specified Region. However, the error occurs because the EC2 container instances do not have sufficient IAM permissions to perform the required CloudWatch Logs API calls. As a result, ECS cannot place the task, and it reports that no container instance meets the requirements.

According to AWS documentation, the container instance IAM role must include the following permissions when using the awslogs driver:

logs:CreateLogStream

logs:PutLogEvents

(and, when creating log groups automatically) logs:CreateLogGroup

Option C correctly addresses the root cause by updating the container instance IAM role . Option A is incorrect because the ECS infrastructure or service role is not used to write logs. Option B is unrelated to permissions and does not resolve the issue. Option D would fail because the log group does not already exist, causing task startup to fail.

Therefore, modifying the container instance IAM role is the correct solution.

Amazon GuardDuty provides built-in, fully managed threat detection for AWS accounts and workloads, including automatic detection of cryptocurrency mining activity, compromised EC2 instances, command-and-control traffic patterns, and anomalous behaviors. GuardDuty includes multiple threat identifiers such as EC2:CryptoCurrencyActivity.BitcoinToolDetected and EC2:UnauthorizedAccess.CryptoMining. Because this capability is native and requires no custom detection logic, it provides the lowest development and operational overhead compared to alternatives.

When GuardDuty generates a finding, it publishes the event automatically to Amazon EventBridge. The DevOps engineer can create an EventBridge rule that matches the specific mining-related finding types. The target of the rule is an AWS Lambda function that parses instance details from the finding and calls TerminateInstances on the affected EC2 instance.

This enables real-time automated remediation without needing recurring scans, log parsing, or complex data queries.

Options A and B require building custom detection pipelines and maintaining periodic Lambda polling, increasing long-term complexity. Option D (Security Hub) aggregates findings but still relies on GuardDuty for detection, adding unnecessary overhead.

Therefore, GuardDuty + EventBridge + Lambda termination is the easiest, quickest, and most AWS-recommended solution following incident-response best practices.

Account Factory Customization (AFC) automates Control Tower account provisioning with baseline blueprints for networking, logging, and guardrails. It integrates natively and minimizes overhead, per AWS Control Tower documentation.

https://aws.amazon.com/blogs/mt/how-to-set-up-aws-opsworks-stacks-auto-healing-notifications-in-amazon-cloudwatch-events/

Exporting logs using CloudWatch subscription filters + Firehose ? S3 enables long-term archival. S3 lifecycle transitions optimize cost with Standard-IA (low-latency) and Deep Archive (long-term retention). This matches AWS best practice for cost-effective log retention.

These are the possible causes for the AccessDenied error because they affect the permissions to access the S3 object from the EC2 instance. An S3 bucket policy is a resource-based policy that defines who can access the bucket and its objects, and what actions they can perform. An IAM role is an identity that can be assumed by an EC2 instance to grant it permissions to access AWS services and resources. If there is an error in the S3 bucket policy or the IAM role configuration, such as a missing or incorrect statement, condition, or principal, then the EC2 instance may not have the necessary permissions to download the object from the S3 bucket .

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/automating-updates-to-serverless-apps.html

service catalog uses stacksets and can enforce tag and restrict resources AWS Customer case with tag enforcement https://aws.amazon.com/ko/blogs/apn/enforce-centralized-tag-compliance-using-aws-service-catalog-amazon-dynamodb-aws-lambda-and-amazon-cloudwatch-events/ And Youtube video showing how to restrict resources per user with portfolio https://www.youtube.com/watch?v=LzvhTcqqyog

The latency in processing and ingesting logs can be caused by several factors, such as the throughput of the Kinesis data stream, the concurrency of the Lambda function, and the configuration of the event source mapping. To reduce the latency, the following steps can be taken:

Create a data stream consumer with enhanced fan-out. Set the Lambda function that processes the logs as the consumer. This will allow the Lambda function to receive records from the data stream with dedicated throughput of up to 2 MB per second per shard, independent of other consumers1. This will reduce the contention and delay in accessing the data stream.

Increase the ParallelizationFactor setting in the Lambda event source mapping. This will allow the Lambda service to invoke more instances of the function concurrently to process the records from the data stream2. This will increase the processing capacity and reduce the backlog of records in the data stream.

Configure reserved concurrency for the Lambda function that processes the logs. This will ensure that the function has enough concurrency available to handle the increased load from the data stream3. This will prevent the function from being throttled by the account-level concurrency limit.

The other options are not effective or may have negative impacts on the latency. Option D is not suitable because increasing the batch size in the Kinesis data stream will increase the amount of data that the Lambda function has to process in each invocation, which may increase the execution time and latency4. Option E is not advisable because turning off the ReportBatchItemFailures setting in the Lambda event source mapping will prevent the Lambda service from retrying the failed records, which may result in data loss. Option F is not necessary because increasing the number of shards in the Kinesis data stream will increase the throughput of the data stream, but it will not affect the processing speed of the Lambda function, which is the bottleneck in this scenario.

1: Using AWS Lambda with Amazon Kinesis Data Streams - AWS Lambda

2: AWS Lambda event source mappings - AWS Lambda

3: Managing concurrency for a Lambda function - AWS Lambda

4: AWS Lambda function scaling - AWS Lambda

AWS Lambda event source mappings - AWS Lambda

Scaling Amazon Kinesis Data Streams with AWS CloudFormation - Amazon Kinesis Data Streams

https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html

To meet the requirements, the DevOps engineer should do the following:

Turn on the Multi-AZ option on the Aurora cluster.

Update the application to use the Aurora cluster endpoint for write operations.

Update the Aurora cluster ' s reader endpoint for reads.

Turning on the Multi-AZ option will create a replica of the database in a different Availability Zone. This will ensure that the database remains available even if one of the Availability Zones is unavailable.

Updating the application to use the Aurora cluster endpoint for write operations will ensure that all writes are sent to both the primary and replica databases. This will ensure that the data is always consistent.

Updating the Aurora cluster ' s reader endpoint for reads will allow the application to read data from the replica database. This will improve the performance of the application during the maintenance window.

Amazon FSx for NetApp ONTAP provides NetApp ONTAP features in AWS, including SnapMirror replication and storage efficiencies like deduplication and compression. Create FSx for ONTAP in each Region and use SnapMirror from on-prem ONTAP to each Region for efficient, incremental replication. Regions can serve data independently of on-prem availability once replicated.

API Gateway supports canary deployment on a deployment stage before you direct all traffic to that stage. A parallel environment means we will create a new ALB and a target group that will target a new set of EC2 instances on which the newer version of the app will be deployed. So the canary setting associated to the new version of the API will connect with the new ALB instance which in turn will direct the traffic to the new EC2 instances on which the newer version of the application is deployed.

The following are the steps involved in accomplishing this in the most maintainable manner:

Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2 instances.

Configure CodeBuild to encrypt the build artifacts using AWS Secrets Manager.

Deploy the containerized quality control applications to CodeBuild.

This approach is the most maintainable because it eliminates the need to manage Jenkins on EC2 instances. CodeBuild is a managed service, so the DevOps engineer does not need to worry about patching or upgrading the service.

https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html Build artifact encryption - CodeBuild requires access to an AWS KMS CMK in order to encrypt its build output artifacts. By default, CodeBuild uses an AWS Key Management Service CMK for Amazon S3 in your AWS account. If you do not want to use this CMK, you must create and configure a customer-managed CMK. For more information Creating keys.

The correct approach to meet the requirements for separate environment pipelines and automatic deployment for test environments is to create two AWS CodePipeline configurations, one for each environment. The production pipeline should have a manual approval step to ensure that changes are reviewed before being deployed to production. A single AWS CodeCommit repository with separate branches for each environment allows for organized and efficient code management. Each CodePipeline retrieves the source code from the appropriate branch in the repository. The deployment step utilizes AWS CloudFormation to deploy the Lambda functions, ensuring that the infrastructure as code is maintained and version-controlled.

AWS Lambda with Amazon API Gateway: Using AWS Lambda with Amazon API Gateway

Tutorial on using Lambda with API Gateway: Tutorial: Using Lambda with API Gateway

AWS CodePipeline automatic deployment: Set Up a Continuous Deployment Pipeline Using AWS CodePipeline

Building a pipeline for test and production stacks: Walkthrough: Building a pipeline for test and production stacks

It allows the company to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing AWS accounts and in any AWS accounts that the company creates in the future using Amazon GuardDuty. It also provides a solution for automatically adding future AWS accounts to GuardDuty by configuring GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts.

https://blog.fourninecloud.com/auto-scaling-lifecycle-hooks-to-export-server-logs-when-instance-terminating-58e06d7c0d6a

The requirements clearly indicate the need for modern CodePipeline capabilities , strict execution ordering, Git tag–based triggers, and loose coupling between pipelines. CodePipeline V2 introduces execution modes such as QUEUED and SUPERSEDED , along with native support for advanced trigger filtering when using AWS CodeConnections.

The requirement that the pipeline must wait for the previous run to finish directly maps to QUEUED mode , which ensures that pipeline executions run sequentially rather than replacing in-progress executions. SUPERSEDED mode would cancel the running execution, which violates the requirement.

Triggering the pipeline when new Git tags are pushed is supported through CodePipeline V2 trigger filters using refs/tags/*. Branch-based triggers would not satisfy this condition.

Finally, the requirement that an existing deployment pipeline runs in response to new container images is best met using Amazon EventBridge , which natively emits events for ECR image push actions . EventBridge allows decoupled, event-driven orchestration between pipelines without tight dependencies or custom scripting. This is the AWS-recommended approach for pipeline-to-pipeline coordination.

Options C and D rely on CodePipeline V1 , which lacks modern trigger filtering and execution control. Option B incorrectly uses SUPERSEDED mode and branch-based triggers.

Therefore, Option A correctly combines CodePipeline V2 , QUEUED execution mode , tag-based triggers , and EventBridge-driven pipeline chaining , meeting all requirements with best practices and minimal operational complexity.

Only the Organizations management account (or roles in that account) can call organizations:CreateAccount directly. When moving the Lambda function to a different (dedicated) account, the correct pattern is to perform cross-account role assumption into a role that resides in the management account and has tightly scoped Organizations permissions.

Option A describes exactly this:

Create an IAM role in the management account with only the required Organizations permissions (for example, organizations:CreateAccount and related read permissions).

Configure the trust policy on that role to allow it to be assumed by the Lambda execution role in the new account.

Update the Lambda code to call sts:AssumeRole into the management-account role before invoking the Organizations API.

This approach ensures that:

The Lambda function can create new accounts, but only via the management account.

The Lambda execution role in the dedicated account has no direct Organizations permissions; it only has permission to assume the specific role.

Option B is incorrect because “delegated administration for Organizations” in the generic sense is not how CreateAccount is exposed; account creation remains a management-account responsibility. Options C and D either misconfigure trust or introduce unnecessary Control Tower complexity. Cross-account assume-role from the dedicated account into the management account is the correct and least-privilege solution.

To meet the requirements of creating a new Organizations account structure with an appropriate SCP that supports the use of only services that are currently active in the AWS account, the company should use the following solution:

Create an SCP that allows the services that IAM Access Analyzer identifies. IAM Access Analyzer is a service that helps identify potential resource-access risks by analyzing resource-based policies in the AWS environment. IAM Access Analyzer can also generate IAM policies based on access activity in the AWS CloudTrail logs. By using IAM Access Analyzer, the company can create an SCP that grants only the permissions that are required for the application to run, and denies all other services. This way, the company can enforce the use of only approved AWS services and reduce the risk of unauthorized access12

Create an OU for the account. Move the account into the new OU. An OU is a container for accounts within an organization that enables you to group accounts that have similar business or security requirements. By creating an OU for the account, the company can apply policies and manage settings for the account as a group. The company should move the account into the new OU to make it subject to the policies attached to the OU3

Attach the new SCP to the new OU. Detach the default FullAWSAccess SCP from the new OU. An SCP is a type of policy that specifies the maximum permissions for an organization or organizational unit (OU). By attaching the new SCP to the new OU, the company can restrict the services that are available to all accounts in that OU, including the account that runs the application. The company should also detach the default FullAWSAccess SCP from the new OU, because this policy allows all actions on all AWS services and might override or conflict with the new SCP45

The other options are not correct because they do not meet the requirements or follow best practices. Creating an SCP that denies the services that IAM Access Analyzer identifies is not a good option because it might not cover all possible services that are not approved or required for the application. A deny policy is also more difficult to maintain and update than an allow policy. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the organization’s root is not a good option because it might affect other accounts and OUs in the organization that have different service requirements or approvals. Creating an SCP that allows the services that IAM Access Analyzer identifies and attaching it to the management account is not a valid option because SCPs cannot be attached directly to accounts, only to OUs or roots.

1: Using AWS Identity and Access Management Access Analyzer - AWS Identity and Access Management

2: Generate a policy based on access activity - AWS Identity and Access Management

3: Organizing your accounts into OUs - AWS Organizations

4: Service control policies - AWS Organizations

5: How SCPs work - AWS Organizations

Service Control Policies in AWS Organizations set the maximum permissions available to all identities within an account, including users who have administrator-level permission sets in IAM Identity Center. A Deny SCP for iam:CreateUser attached to the research team ' s account overrides the AdministratorAccess policy in the permission set and cannot be bypassed by any action within the account. This makes it the most enforceable and tamper-resistant solution. Option A attaches a deny policy to the permission set itself, which would work for sessions using that permission set, but does not prevent IAM users in the account from creating other IAM users. Option B sets a permissions boundary, which can only limit a role ' s maximum permissions, not prevent users from performing actions outside their own role ' s context. Option D is reactive, allowing IAM user creation before deletion, which is not prevention.

================

AWS Control Tower provides Account Factory and Account Factory Customizations (AFC) as the lowest-overhead and most scalable method for creating and configuring new accounts. AFC allows you to define blueprints that include mandatory baseline resources such as IAM roles, logging configurations, guardrails, network settings, and tagging standards. When accounts are created through Account Factory using a customization blueprint, all controls and baseline configurations are applied automatically during provisioning, without any additional automation steps or StackSet deployments.

Option B requires running StackSets after the account is created, which adds manual management overhead and defeats the built-in automation advantages of Control Tower. Options C and D rely on manually provisioning accounts via AWS Organizations, which bypasses Control Tower’s governance and would require custom Lambda or StackSet automation to replicate controls that Control Tower already provides automatically.

Because the question explicitly asks for the least operational overhead, the correct answer is to use the Control Tower AFC blueprint, ensuring every account is born compliant with the required guardrails and baseline configuration.

The requirement is to automatically apply different baseline CloudFormation templates based on OU placement when new AWS accounts are created, while keeping operational overhead as low as possible. Because the company is already using AWS Organizations and is planning a comprehensive account management strategy, the most AWS-native and efficient solution is AWS Control Tower with Customizations for AWS Control Tower (CfCT) .

CfCT is specifically designed to extend Control Tower’s baseline by allowing administrators to deploy OU-scoped CloudFormation templates automatically. The solution uses a manifest file to map CloudFormation templates to specific OUs, ensuring that each new account receives the correct baseline configuration immediately after provisioning. Templates and configuration are stored in a version-controlled Git repository, providing auditability, change tracking, and rollback capabilities.

Option B adds unnecessary operational complexity by introducing a custom CodePipeline that must be manually triggered and maintained. This duplicates functionality that CfCT already provides natively. Options C and D rely on custom Lambda logic and EventBridge rules, which increase maintenance burden, reduce transparency, and lack built-in OU-aware governance features.

AWS documentation explicitly recommends Customizations for AWS Control Tower for OU-based, scalable, and automated baseline deployments. Therefore, Option A delivers the required functionality with the least operational overhead and aligns with AWS best practices for multi-account governance.

The default CPU utilization metric does not reflect the processing backlog in the SQS queue, so the Auto Scaling group is not scaling properly to handle the workload.

To scale the Auto Scaling group based on queue length, you can create a target tracking scaling policy that uses a custom metric that combines the SQS queue ' s ApproximateNumberOfMessagesVisible and the number of instances (GroupIn-ServiceInstances) metric using CloudWatch metric math. This allows the scaling policy to calculate the average number of messages per instance and scale accordingly.

This approach requires no additional Lambda functions or log processing, thus minimizing operational overhead.

Option A and B require Lambda functions to publish custom metrics, which increases operational complexity. Option D also adds complexity with logging and metric filters.

To allow developers to create IAM users without granting excessive permissions, the correct solution is to use permissions boundaries, which AWS specifically recommends for restricting delegated administrators such as developers. A permissions boundary defines the maximum permissions that an IAM user or role can delegate.

Step C ensures that each AWS account contains a PermissionBoundaries policy defining the maximum allowed permissions that any developer-created user may receive. This prevents privilege escalation, even if the developer attaches a more powerful policy. This aligns with AWS guidance for restricting privilege escalation within multi-account environments.

Step E ensures that developers can create IAM users but only if they attach the PermissionBoundaries policy as the permissions boundary. By attaching the DeveloperBoundary policy to the CreateAndManageUsers role, developers gain the ability to create users, but they are cryptographically prevented from assigning permissions outside the boundary policy.

Meanwhile, the DevOps team (who are not restricted by the boundary) can still create IAM users with full permissions.

This combination satisfies all constraints:

DevOps team: unrestricted IAM creation

Developers: restricted IAM creation enforced by boundaries

Other users: still blocked from IAM creation by existing SCP

AWS recommends Application Auto Scaling for ECS services to dynamically adjust the number of running tasks based on Amazon SQS queue metrics such as ApproximateNumberOfMessagesVisible. By using target tracking scaling policies, ECS on Fargate scales automatically when the queue backlog grows and scales down when traffic decreases — a fully managed, cost-efficient solution (see ECS Service Auto Scaling Developer Guide).

To aggregate events from multiple accounts into a single account, the default event bus in the receiving (DevOps) account must have a resource-based policy allowing the source accounts to put events into it.

Then, an EventBridge rule in each source account routes Amazon Connect events to the default event bus in the DevOps account (cross-account event delivery).

Options A and B describe policies or rules incorrectly applying permissions or routing. Option D mentions replay permissions, which are unrelated to event routing.

When setting the flag authenticated-read in the command line, the owner gets FULL_CONTROL. The AuthenticatedUsers group (Anyone with an AWS account) gets READ access. Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

The correct answer is B and E. Configuring a higher provisioned concurrency for the Lambda functions will ensure that the functions are ready to respond to the initial burst of requests without any cold start latency. Using Amazon RDS Proxy to create a proxy for the Aurora database will enable the Lambda functions to reuse existing database connections and reduce the overhead of establishing new ones. This will also improve the scalability and availability of the database by managing the connection pool size and handling failovers. Option A is incorrect because reserved concurrency only limits the number of concurrent executions for a function, not pre-warms them. Option C is incorrect because converting the DB cluster to an Aurora global database will not address the issue of database connection latency, and may introduce additional costs and complexity. Option D is incorrect because moving the code blocks that initialize database connections into the function handlers will not improve the performance or scalability of the Lambda functions, and may actually worsen the cold start latency. References:

AWS Lambda Provisioned Concurrency

Using Amazon RDS Proxy with AWS Lambda

Certified DevOps Engineer - Professional (DOP-C02) Study Guide (page 173)

The problem is that the DevOps engineer cannot assume the OrganizationAccountAccessRole IAM role in the new member account that joined AnyCompany’s management account through an Organizations invitation. The solution is to create a new IAM role with the same name and trust policy in the new member account.

Option A is incorrect, as it does not address the root cause of the error. The DevOps engineer’s IAM user already has permission to assume the OrganizationAccountAccessRole IAM role in any member account, as this is the default role name that AWS Organizations creates when a new account joins an organization. The error occurs because the new member account does not have this role, as it was not created by AWS Organizations.

Option B is incorrect, as it does not address the root cause of the error. An SCP is a policy that defines the maximum permissions for account members of an organization or organizational unit (OU). An SCP does not grant permissions to IAM users or roles, but rather limits the permissions that identity-based policies or resource-based policies grant to them. An SCP also does not affect how IAM roles are assumed by other principals.

Option C is correct, as it addresses the root cause of the error. By creating a new IAM role with the same name and trust policy as the OrganizationAccountAccessRole IAM role in the new member account, the DevOps engineer can assume this role and access the account. The new role should have the AdministratorAccess AWS managed policy attached, which grants full access to all AWS resources in the account. The trust policy should allow the management account to assume the role, which can be done by specifying the management account ID as a principal in the policy statement.

Option D is incorrect, as it assumes that the new member account already has the OrganizationAccountAccessRole IAM role, which is not true. The new member account does not have this role, as it was not created by AWS Organizations. Editing the trust policy of a non-existent role will not solve the problem.

CloudWatch metric filters can parse logs directly to create metrics without additional infrastructure.

Metric filters combined with CloudWatch dashboards provide the simplest and most operationally efficient solution.

Options A, B, and D add complexity with additional services (OpenSearch, Lambda, Kinesis).

because of " as few maintenance tasks as possible on the underlying infrastructure " . Fargate does that better than " one centralized application server "