DOP-C02 Exam Dumps - AWS Certified DevOps Engineer - Professional

The correct approach to meet the requirements for separate environment pipelines and automatic deployment for test environments is to create two AWS CodePipeline configurations, one for each environment. The production pipeline should have a manual approval step to ensure that changes are reviewed before being deployed to production. A single AWS CodeCommit repository with separate branches for each environment allows for organized and efficient code management. Each CodePipeline retrieves the source code from the appropriate branch in the repository. The deployment step utilizes AWS CloudFormation to deploy the Lambda functions, ensuring that the infrastructure as code is maintained and version-controlled.

AWS Lambda with Amazon API Gateway: Using AWS Lambda with Amazon API Gateway

Tutorial on using Lambda with API Gateway: Tutorial: Using Lambda with API Gateway

AWS CodePipeline automatic deployment: Set Up a Continuous Deployment Pipeline Using AWS CodePipeline

Building a pipeline for test and production stacks: Walkthrough: Building a pipeline for test and production stacks

---

###

The requirement is to securely consume cross-account sensitive parameters from AWS Systems Manager Parameter Store in a CI/CD pipeline. AWS imposes specific constraints and features for cross-account parameter access, and the correct solution must align with those constraints.

First, cross-account sharing of Parameter Store parameters is supported only for Advanced tier parameters. Standard tier parameters cannot be shared across accounts. Therefore, Option A is required, and Option C is invalid.

Second, cross-account access to Parameter Store parameters is implemented using AWS Resource Access Manager (AWS RAM). RAM allows the central account to explicitly share the parameter resource with the CI/CD account. Without RAM, the parameter is not visible or accessible across accounts. This makes Option F mandatory.

Third, because the parameter stores sensitive credentials, encryption must be handled securely. When sharing encrypted parameters across accounts, AWS requires the use of a customer managed AWS KMS key, not an AWS managed key. The key policy must explicitly grant `kms:Decrypt` permission to the consuming account. AWS managed keys cannot be shared across accounts, which makes Option D invalid and Option E correct.

Although the CI/CD pipeline’s IAM role must ultimately have permission to read the parameter, that permission is implicit in the consuming account once the parameter is shared and the KMS key policy allows decryption. The critical cross-account enablers are Advanced tier, RAM sharing, and a customer managed KMS key.

Therefore, the correct combination is A, E, and F.

The company’s primary goals are to produce daily builds , publish artifacts to an Amazon S3–hosted website , and do so with the least operational overhead . Because the source repository is public and builds are produced on a fixed daily schedule, there is no requirement for complex multi-stage orchestration or manual pipeline invocations.

Option B provides the most streamlined and AWS-recommended solution. By using AWS CodeBuild directly with the public repository as the source, the company eliminates the need to manage an AWS CodePipeline altogether. CodeBuild can natively compile the project and publish build artifacts directly to an Amazon S3 bucket through its artifacts configuration. This minimizes service dependencies and operational complexity.

Using an Amazon EventBridge scheduled rule to trigger the CodeBuild project daily ensures builds occur automatically without manual intervention. Enabling artifact encryption is the AWS best practice, even for public artifacts, because encryption at rest does not prevent public read access when bucket policies allow it.

Option A relies on webhooks and push-based triggers, which do not meet the “build every day” requirement and introduce unnecessary coupling to repository activity. Options C and D retain CodePipeline, which adds extra configuration and maintenance overhead without providing additional value for this simple build-and-publish workflow.

Therefore, Option B meets all requirements with the least operational effort while following AWS-recommended CI/CD design principles.

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

The correct answer is B. Creating a new AWS CodeBuild project and configuring a test stage in the AWS CodePipeline pipeline that uses the new CodeBuild project is the best way to integrate the unit tests into the existing pipeline. Creating a CodeBuild report group and uploading the test reports to the new CodeBuild report group will produce reports about the unit tests for the company to view. Using JUNITXML as the output format for the unit tests is supported by CodeBuild and will generate a valid report.

Option A is incorrect because Amazon CodeGuru Reviewer is a service that provides automated code reviews and recommendations for improving code quality and performance. It is not a tool for running unit tests or producing test reports. Therefore, option A will not meet the requirements.

Option C is incorrect because AWS CodeArtifact is a service that provides secure, scalable, and cost-effective artifact management for software development. It is not a tool for running unit tests or producing test reports. Moreover, option C uses CUCUMBERJSON as the output format for the unit tests, which is not supported by CodeBuild and will not generate a valid report.

Option D is incorrect because uploading the test reports to an Amazon S3 bucket is not the best way to produce reports about the unit tests for the company to view. CodeBuild has a built-in feature to create and manage test reports, which is more convenient and efficient than using S3. Furthermore, option D uses HTML as the output format for the unit tests, which is not supported by CodeBuild and will not generate a valid report.

To ensure that CloudTrail cannot be disabled in any member account, the control must be enforced above the individual accounts, at the organization level , and must not be overridable by local administrators. AWS Service Control Policies (SCPs) provide exactly this capability: they define permission guardrails that apply to all IAM users, roles, and even the root user in accounts within an AWS Organizations OU.

By applying an SCP that explicitly denies cloudtrail:StopLogging and cloudtrail:DeleteTrail , the organization prevents any principal in the affected accounts from disabling logging or deleting the trails, regardless of their IAM permissions. This provides strong, centralized enforcement of audit logging.

Option B uses IAM policies in each account. Local administrators with sufficient privileges could modify or detach those policies, defeating the control. Option C only sends notifications and does not prevent the action. Option D with AWS Config auto-remediation still allows a window where CloudTrail is disabled and also can be disabled or modified itself.

Therefore, the most robust and least bypassable approach is to use an SCP at the OU level to deny CloudTrail stop and delete actions.

Option A is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring automatic rollbacks on the deployment group is not operationally efficient, as it requires manual intervention to fix the errors and redeploy the application.

Option B is correct because setting the deployment configuration to LambdaCanary10Percent10Minutes means that the new version of the application will be deployed to 10 percent of the Lambda functions first, and then to the remaining 90 percent after 10 minutes. This minimizes the impact of errors on customers, as only 10 percent of them will be affected by a faulty deployment. Configuring automatic rollbacks on the deployment group also meets the requirement of reverting to the most recent stable version of the application when an error is detected. Creating a CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway is a valid way to monitor the health of the application and trigger a rollback if needed.

Option C is incorrect because setting the deployment configuration to LambdaAllAtOnce means that the new version of the application will be deployed to all Lambda functions at once, affecting all customers. This does not meet the requirement of affecting the fewest customers possible. Moreover, configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating an SNS topic to send notifications every time a deployment fails is not sufficient to detect errors in the application, as it does not monitor the API Gateway responses.

Option D is incorrect because configuring manual rollbacks on the deployment group is not operationally efficient, as it requires human intervention to stop the current deployment and start a new one. Creating a metric filter on a CloudWatch log group for API Gateway to monitor HTTP Bad Gateway errors is a valid way to monitor the health of the application, but invoking a new Lambda function to perform a rollback is unnecessary and complex, as CodeDeploy already provides automatic rollback functionality.