DOP-C02 Exam Dumps - AWS Certified DevOps Engineer - Professional

ï‚· Impact of Removing FullAWSAccess and Adding Policy for EC2 Actions:

The FullAWSAccess policy allows all actions on all resources by default. Removing this policy from the Department OU will limit the permissions that accounts within this OU inherit from the parent OU.

Adding a policy that allows only Amazon EC2 API operations will restrict the permissions to EC2 actions only.

ï‚· Permissions of Administrative IAM Roles:

The administrative IAM roles in the Engineering OU have the AdministratorAccess policy attached, which grants full access to all AWS services and resources.

Since SCPs are restrictions that apply at the organizational level, removing FullAWSAccess and replacing it with a policy allowing only EC2 actions means that for all accounts in the Engineering OU:

They will have full access to EC2 actions due to the new SCP.

They will be restricted in other actions that are not covered by the SCP, hence, non-EC2 API actions will be denied.

ï‚· Conclusion:

All API actions on EC2 resources will be allowed.

All other API actions will be denied due to the absence of a broader allow policy.

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-determine-compliance-of-aws-kms-key-policies-to-your-specifications/

The Amazon SQS service publishes several standard CloudWatch metrics by default, including ApproximateNumberOfMessagesVisible, which represents the number of messages available for retrieval from the queue (i.e., the number of messages waiting to be processed). This is the primary metric to monitor queue backlog and processing delays.

Using ApproximateNumberOfMessagesVisible to monitor the visible messages in the queue gives a direct and near real-time indication of processing delays or backlog.

CloudWatch metrics are automatically collected and available without the need to create custom metrics or Lambda functions, which increases operational efficiency by reducing complexity and maintenance overhead.

Setting a CloudWatch alarm on this metric with a static threshold and a reasonable evaluation period (such as 1 hour) is sufficient to alert the team when the queue grows beyond an expected size.

The alarm can be directly configured to send notifications to an existing SNS topic, maintaining seamless integration with the team’s alerting mechanisms.

The ApproximateNumberOfMessagesDelayed metric refers to messages that are delayed and not available for processing yet due to delay settings, which is not the direct backlog that causes business process delays.

Options C and D introduce unnecessary complexity by requiring Lambda functions and custom metrics or scheduled invocations, which reduce operational efficiency compared to using built-in CloudWatch metrics and alarms.

Reference from AWS Official Documentation and Study Guide:

Amazon SQS Monitoring with CloudWatch Metrics: " Amazon SQS automatically sends metrics to CloudWatch, including ApproximateNumberOfMessagesVisible, which shows the number of messages available for retrieval. " (Source: Amazon SQS Monitoring - AWS Documentation)

Setting CloudWatch Alarms for SQS Queues: " You can create CloudWatch alarms on SQS metrics such as ApproximateNumberOfMessagesVisible to receive notifications when the queue size exceeds a threshold. " (Source: Amazon CloudWatch Alarms - AWS Documentation)

AWS DevOps Engineer Professional Exam Guide: " Efficient alerting for queue backlogs should leverage native CloudWatch metrics to minimize operational overhead. " (Source: Official AWS Certified DevOps Engineer Professional Study Guide)

Step 1: Storing Docker Images in Amazon ECRDocker images can be large, and storing them in a centralized, scalable location can greatly reduce build times. Amazon Elastic Container Registry (ECR) is a fully managed container registry that stores, manages, and deploys Docker container images.

Action: Store the Docker images in an ECR repository.

Why: Storing Docker images in ECR ensures that Docker images can be reused across multiple builds, improving build performance by avoiding the need to rebuild the images from scratch.

To meet the requirements, the DevOps engineer should create an Amazon EventBridge event rule that has the default event bus as the source. The rule ' s event pattern should match EC2 security group creation and modification events, and it should be configured to invoke the Lambda function. This solution will allow for near real-time detection of security group rule changes and will trigger the Lambda function to remove any unrestricted rules and send email notifications to the security team.

https://repost.aws/knowledge-center/monitor-security-group-changes-ec2

Option A best matches the requirement in the simplest, most direct way:

Systems Manager State Manager is designed to apply and maintain a desired state on managed instances by running associations on a schedule or continuously across targets (for example, “all managed nodes”).

By using a Systems Manager document in the association that installs the antivirus package (and can be written to be idempotent: “install only if not present”), State Manager both detects drift (software missing) and remediates it automatically by reapplying the desired configuration.

This approach automatically covers all instances that are managed by Systems Manager (which is typically the standard requirement for fleet management on Amazon Linux).

Why the others are more overhead or not as direct:

B can work, but it requires building and operating a custom Config rule plus remediation wiring. That’s more components and maintenance than State Manager for a straightforward “ensure software is installed” task.

C Amazon Inspector is a vulnerability management service; it’s not the primary tool for “ensure a specific software package is installed everywhere” and “remediate via SSM doc” as a desired-state control.

D only detects new instances at launch time via CloudTrail RunInstances, and then you still need Inventory correlation logic. It’s more complex and can miss already-running instances unless additional logic is added.

The question emphasizes “MOST securely” and involves a multi-account backup strategy with a centralized backup account. AWS Backup best practice for high-security environments is to use customer managed KMS keys for encrypting backup vaults rather than AWS managed keys. Customer managed keys provide tighter control over key lifecycle, key policies, and cross-account access.

Option A creates encrypted backup vaults in both the source and centralized accounts, each protected by a customer managed KMS key in that account. AWS Backup is then configured to create full EC2 backups (AMIs) and copy them to the centralized backup vault. This design ensures:

Encryption at rest in both accounts.

Independent key control and policies per account.

Secure cross-account backup copy behavior governed by explicit KMS key grants and vault access policies.

Option B incorrectly uses the source account’s KMS key to encrypt vaults in both accounts, which is not the recommended pattern; each account should manage its own CMK. Options C and D rely partially or fully on AWS managed keys, which are less appropriate when the requirement explicitly stresses maximum security and control.

Therefore, Option A best satisfies both the RPO/RTO goals (daily AMI backups with rapid restore) and the strongest encryption posture.