DOP-C02 Exam Dumps - AWS Certified DevOps Engineer - Professional

ï‚· Create an Amazon EventBridge Rule Using an AWS CloudTrail Event Pattern:

AWS CloudTrail logs API calls made in your account, including actions performed by roles.

Create an EventBridge rule that matches CloudTrail events where the AssumeRole API call is made to assume the administrator role.

ï‚· Invoke an AWS Lambda Function:

Configure the EventBridge rule to trigger a Lambda function whenever the rule ' s conditions are met.

The Lambda function will handle the logic to send a notification.

ï‚· Publish a Message to an Amazon SNS Topic:

The Lambda function will publish a message to an SNS topic to notify the security team.

Subscribe the security team’s email address to this SNS topic to receive real-time notifications.

Example EventBridge rule pattern:

{

" source " : [ " aws.cloudtrail " ],

" detail-type " : [ " AWS API Call via CloudTrail " ],

" detail " : {

" eventSource " : [ " sts.amazonaws.com " ],

" eventName " : [ " AssumeRole " ],

" requestParameters " : {

" roleArn " : [ " arn:aws:iam:: < account-id > :role/AdministratorRole " ]

}

}

}

Example Lambda function (Node.js) to publish to SNS:

const AWS = require( ' aws-sdk ' );

const sns = new AWS.SNS();

exports.handler = async (event) = > {

const params = {

Message: `Administrator role assumed: ${JSON.stringify(event.detail)}`,

TopicArn: ' arn:aws:sns: < region > : < account-id > : < sns-topic > '

};

await sns.publish(params).promise();

};

https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-profile-attached.html

Using CodePipeline + CodeConnections Git repo provides version control, automated deployment, and rollback. Each template includes AWS::ControlTower::EnableControl for OU-level guardrails. AWS Control Tower documentation recommends this GitOps automation model.

This solution will meet the requirements in the most operationally efficient manner because it will use CloudWatch Logs destination to aggregate the log groups from all the accounts to a single S3 bucket in the logging account. However, unlike option A, this solution will create a CloudWatch Logs destination for each region, instead of a single destination for all regions. This will improve the performance and reliability of the log delivery, as it will avoid cross-region data transfer and latency issues. Moreover, this solution will use an Amazon Kinesis data stream and an Amazon Kinesis Data Firehose delivery stream for each region, instead of a single stream for all regions. This will also improve the scalability and throughput of the log delivery, as it will avoid bottlenecks and throttling issues that may occur with a single stream.

A Lambda function in one account can mount a file system in a different account. For this scenario, you configure VPC peering between the function VPC and the file system VPC. https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html

https://aws.amazon.com/ru/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

1. Need to update the file system policy on EFS to allow mounting the file system into Account B.

## File System Policy

$ cat file-system-policy.json

{

" Statement " : [

{

" Effect " : " Allow " ,

" Action " : [

" elasticfilesystem:ClientMount " ,

" elasticfilesystem:ClientWrite "

],

" Principal " : {

" AWS " : " arn:aws:iam:: < aws-account-id-A > :root " # Replace with AWS account ID of EKS cluster

}

}

]

}

2. Need VPC peering between Account A and Account B as the pre-requisite

3. Need to assume cross-account IAM role to describe the mounts so that a specific mount can be chosen.

AWS CodeDeploy supports automatic rollback capabilities, which allow the deployment to automatically revert to the last known good revision if a failure occurs during the deployment or if health checks fail.

You can enable automatic rollback on CodeDeploy deployments by configuring rollback settings in the deployment group.

Automatic rollback triggers can include failed deployments and alarms failing during the deployment lifecycle, which means if the health check fails, CodeDeploy will automatically roll back without manual intervention.

Lifecycle event hooks (Option A) provide custom scripting capabilities during deployment but do not provide built-in rollback automation.

CloudFormation (Option B) can deploy and manage infrastructure but does not control CodeDeploy rollback.

CloudWatch alarms (Option C) can trigger notifications but require manual or additional automation to trigger rollback. Hence, enabling CodeDeploy’s automatic rollback settings is the simplest and most reliable method for automatic rollback upon health check failure.

Reference from AWS Official Documentation and Study Guide:

AWS CodeDeploy Automatic Rollback: " You can configure automatic rollback in AWS CodeDeploy to roll back a deployment if it fails or if specified CloudWatch alarms are triggered. " (AWS CodeDeploy User Guide - Automatic Rollbacks)

AWS Certified DevOps Engineer Professional Study Guide: " Leverage CodeDeploy automatic rollback features to reduce downtime and ensure application stability during deployments. "

Step 1: Understanding Lambda Permissions and AWS Config

The custom AWS Config rule evaluates resources and invokes an AWS Lambda function when a compliance check is triggered. For AWS Config to invoke the Lambda function, it requires permission to do so.

Issue: The Lambda function fails to execute because AWS Config doesn ' t have permission to invoke it.

Action: Modify the resource-based policy of the Lambda function to grant AWS Config permission to invoke the Lambda function.

Why: Without this permission, AWS Config cannot trigger the Lambda function, which is why the evaluation fails.

EKS control plane nodes are fully managed by AWS and are not accessible for configuration, SSH, SSM commands, or custom workloads. Therefore, any prefetching of container images must occur on the worker nodes (EC2 instances in the node groups) because those are the machines that pull and cache container images before running pods.

Option C is the only solution that aligns with AWS architecture:

It creates an IAM role allowing Systems Manager Run Command to execute on EC2 worker nodes.

It uses node group tags to target the correct nodes dynamically.

State Manager runs the prefetch script whenever triggered by the EventBridge automation — ensuring newly added nodes pre-pull images and reduce cold-start latency to seconds.

Options A and D are invalid because you cannot run Systems Manager commands on EKS control plane nodes; AWS manages them and does not expose them. Option B incorrectly targets node groups based on machine size, which does not provide reliable node identification or filtering.

Thus, Option C provides the correct, scalable, and supported method for prefetching images across all worker nodes.