DOP-C02 Exam Dumps - AWS Certified DevOps Engineer - Professional

ECS container instances must have an IAM role that trusts ECS (the ecs-tasks.amazonaws.com principal) to assume permissions for CloudWatch logging. Without this trust relationship, ECS cannot push logs even if the permissions are present.

The requirements describe a classic attribute-based access control (ABAC) model using AWS IAM. The company already has consistent tagging across users and resources, which is ideal for ABAC and least-privilege enforcement at scale.

First, Option A is required because IAM roles should represent job functions (developer vs. database administrator) and be scoped per project. Creating separate roles per project and job function allows permissions to be isolated cleanly and prevents cross-project access.

Second, Option B enforces project-level isolation at the policy level. By modifying the existing job-function policies to include a StringEquals condition that compares aws:ResourceTag/Project with aws:PrincipalTag/Project, access is automatically limited to only those resources that belong to the same project as the user. This is an AWS-recommended ABAC pattern and avoids policy sprawl.

Third, Option C is required so users can assume roles only when their tags match the role’s tags. An IAM policy attached to users that allows sts:AssumeRole only if both project and job function tags match ensures users cannot assume roles outside their assigned scope.

Options D, E, and F either misapply policies to the wrong entities, misuse tagging on policies (which IAM does not evaluate for authorization), or introduce unnecessary group-based management that conflicts with the ABAC design.

Therefore, A, B, and C together provide least privilege, project isolation, and scalable access control with minimal ongoing administration.

Deployment of config.txt file based on the appspec.yml:

The appspec.yml file specifies that config/config.txt should be copied to /usr/local/src/config.txt.

The source: / directive in the appspec.yml indicates that the entire directory structure starting from the root of the application source should be copied to the specified destination, which is /var/www/html.

Result of the Deployment:

The config.txt file will be specifically deployed to /usr/local/src/config.txt as per the explicit file mapping.

The entire directory structure including application/web will be copied to /var/www/html, but this does not include config/config.txt since it has a specific destination defined.

Thus, the config.txt file will be deployed only to /usr/local/src/config.txt.

Therefore, the correct answer is:

C. The config.txt file will be deployed to only /usr/local/src/config.txt.

AWS CodePipeline supports multiple stages including source, build, test, and deploy. The most efficient way to integrate automated testing is by adding an AWS CodeBuild action to the pipeline that runs the tests using a buildspec.yml file. CodeBuild can be configured to fail the pipeline automatically if tests fail, ensuring that deployments do not proceed to the staging environment. This pattern is directly supported and documented in AWS CodePipeline + CodeBuild CI/CD architecture guidance.

A Lambda function in one account can mount a file system in a different account. For this scenario, you configure VPC peering between the function VPC and the file system VPC. https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html

https://aws.amazon.com/ru/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

1. Need to update the file system policy on EFS to allow mounting the file system into Account B.

## File System Policy

$ cat file-system-policy.json

{

"Statement": [

{

"Effect": "Allow",

"Action": [

"elasticfilesystem:ClientMount",

"elasticfilesystem:ClientWrite"

],

"Principal": {

"AWS": "arn:aws:iam::<aws-account-id-A>:root" # Replace with AWS account ID of EKS cluster

}

}

]

}

2. Need VPC peering between Account A and Account B as the pre-requisite

3. Need to assume cross-account IAM role to describe the mounts so that a specific mount can be chosen.

When using the awslogs log driver with Amazon ECS on EC2, CloudWatch Logs permissions must be granted to the ECS container instance IAM role, not the task definition or infrastructure role. The ECS agent running on the EC2 instances is responsible for creating log streams and pushing log events to Amazon CloudWatch Logs on behalf of the containers.

In this scenario, the task definition is correctly configured to automatically create the log group (awslogs-create-group: true) and send logs to the specified Region. However, the error occurs because the EC2 container instances do not have sufficient IAM permissions to perform the required CloudWatch Logs API calls. As a result, ECS cannot place the task, and it reports that no container instance meets the requirements.

According to AWS documentation, the container instance IAM role must include the following permissions when using the awslogs driver:

logs:CreateLogStream

logs:PutLogEvents

(and, when creating log groups automatically) logs:CreateLogGroup

Option C correctly addresses the root cause by updating the container instance IAM role. Option A is incorrect because the ECS infrastructure or service role is not used to write logs. Option B is unrelated to permissions and does not resolve the issue. Option D would fail because the log group does not already exist, causing task startup to fail.

Therefore, modifying the container instance IAM role is the correct solution.

 The correct solution is to create a new assertion safety rule in Route 53 ARC and apply it to the two routing controls. An assertion safety rule is a type of safety rule that ensures that a minimum number of routing controls are always enabled. The ATLEAST type of assertion safety rule specifies the minimum number of routing controls that must be enabled for the rule to evaluate as healthy. By setting the threshold to 1, the rule ensures that at least one routing control is always turned on. This prevents the scenario where both routing controls are accidentally turned off and the application becomes unavailable in both Regions.

The other solutions are incorrect because they do not use safety rules to prevent both routing controls from being turned off. A gating safety rule is a type of safety rule that prevents routing control state changes that violate the rule logic. The OR type of gating safety rule specifies that one or more routing controls must be enabled for the rule to evaluate as healthy. However, this rule does not prevent a user from turning off both routing controls manually. A resource set is a collection of resources that are tested for readiness by Route 53 ARC. A readiness check is a test that verifies that all the resources in a resource set are operational. However, these concepts are not related to routing control states or safety rules. Therefore, creating a new resource set and a new readiness check will not ensure that at least one routing control is turned on at all times. References:

Routing control in Amazon Route 53 Application Recovery Controller

Viewing and updating routing control states in Route 53 ARC

Creating a control panel in Route 53 ARC

Creating safety rules in Route 53 ARC