Free Amazon Web Services DOP-C02 Practice Exam with Questions & Answers | Set: 10

https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html

To meet the requirements of ensuring that flow logs remain configured for all existing and new VPCs in the AWS account, the company should use AWS Config and automatic remediation. AWS Config is a service that enables customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Config continuously monitors and records the configuration changes of the AWS resources and evaluates them against desired configurations. Customers can use AWS Config rules to define the desired configuration state of their AWS resources and trigger actions when a resource configuration violates a rule.

One of the AWS Config rules that customers can use is vpc-flow-logs-enabled, which checks whether VPC flow logs are enabled for all VPCs in an AWS account. Customers can also configure automatic remediation for this rule, which means that AWS Config will automatically enable VPC flow logs for any VPCs that do not have them enabled. Customers can specify the destination (CloudWatch Logs or S3) and the traffic type (all, accept, or reject) for the flow logs as remediation parameters. By using AWS Config and automatic remediation, the company can ensure that flow logs remain configured for all existing and new VPCs in its AWS account, regardless of who creates them or how they are created.

The other options are not correct because they do not meet the requirements or follow best practices. Adding the resource to the CloudFormation stack that creates the VPCs is not a sufficient solution because it will only work for VPCs that are created by using the CloudFormation stack. It will not work for VPCs that are created by using other methods, such as the console or the API. Creating an organization in AWS Organizations and creating an SCP to prevent users from modifying VPC flow logs is not a good solution because it will not ensure that flow logs are enabled for all VPCs in the first place. It will only prevent users from disabling or changing flow logs after they are enabled. Creating an IAM policy to deny the use of API calls for VPC flow logs and attaching it to all IAM users is not a valid solution because it will prevent users from enabling or disabling flow logs at all. It will also not work for VPCs that are created by using other methods, such as the console or CloudFormation.

1: AWS::EC2::FlowLog - AWS CloudFormation

2: Amazon VPC Flow Logs extends CloudFormation Support to custom format subscriptions, 1-minute aggregation intervals and tagging

3: Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud

About AWS Config - AWS Config

vpc-flow-logs-enabled - AWS Config

Remediate Noncompliant Resources with AWS Config Rules - AWS Config

Installing the CloudWatch agent and instrumenting the application to push custom metrics to the agent is the easiest and lowest overhead method.

Prometheus (B) adds operational complexity.

Lambda polling (C) introduces unnecessary complexity and latency.

Using Logs Insights (D) requires extracting metrics from logs, which is less efficient.

https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-auto-scaling.html

The requirements demand very low data loss (RPO < 1 minute) and fast recovery (RTO < 10 minutes) across Regions . Snapshot/backup-based approaches (B, D) generally cannot meet an RPO under 1 minute (and restoring snapshots/backups typically pushes RTO higher than 10 minutes for many real-world DB sizes and restore times).

Option A is the only choice that is explicitly built around near-real-time replication to another Region (cross-Region replica) and an operational pattern to promote the standby and update Route 53 to redirect applications quickly during failover.

Multi-AZ addresses in-Region high availability , while the cross-Region replica + promotion addresses cross-Region DR with low RPO and acceptable RTO when automated.

Why the others don’t meet the stated RPO/RTO:

B : Copying snapshots every 5 minutes immediately violates RPO < 1 minute .

C : DMS replication could potentially be low-latency, but the option only mentions notifications (no automated failover/redirect) and does not provide the clearest/most direct managed HA+DR pattern for the required RTO < 10 minutes .

D : “Cross-Region backups every 30 seconds ” is not a standard practical backup cadence for AWS Backup with RDS, and restore-based DR still tends to miss the RTO/RPO targets compared with replica promotion.

The requirement is to deploy a stateless application with multi-Region fault tolerance , ensuring high availability even if an entire AWS Region becomes unavailable. For this design, traffic must be actively served from both Regions, not only during a failure event.

Option C correctly implements an active-active, multi-Region architecture . By deploying the application to both EKS clusters , each Region is capable of serving traffic independently. Using Amazon Route 53 weighted routing , traffic is distributed across both Application Load Balancers, allowing both Regions to handle requests simultaneously. If one Region becomes unhealthy, Route 53 health checks can stop routing traffic to that Region, maintaining availability.

Implementing Kubernetes readiness and liveness probes ensures that traffic is only sent to healthy pods within each cluster. This provides fault tolerance at both the container level (pod health) and the Regional level (Route 53 routing).

Option A uses a failover routing policy, which results in an active-passive design. While fault tolerant, it does not utilize both Regions simultaneously and provides slower recovery during Region failure. Options B and D deploy the application only in the primary Region, which does not meet multi-Region fault tolerance requirements.

Therefore, Option C delivers the most resilient, highly available, and AWS-recommended architecture for a stateless, multi-Region EKS application.

Step 1: Understanding the Deletion FailureThe most likely reason why the CloudFormation stack failed to delete is that the S3 bucket was not empty. AWS CloudFormation cannot delete an S3 bucket that contains objects, so if the website files are still in the bucket, the deletion will fail.

Issue: The S3 bucket is not empty during deletion, preventing the stack from being deleted.

Step 2: Modifying the Custom Resource to Handle DeletionTo mitigate this issue, you can modify the Lambda function associated with the custom resource to automatically empty the S3 bucket when the stack is being deleted. By adding logic to handle the RequestType: Delete event, the function can recursively delete all objects in the bucket before allowing the stack to be deleted.

Action: Modify the Lambda function to recursively delete the objects in the S3 bucket when RequestType is set to Delete.

Why: This ensures that the S3 bucket is empty before CloudFormation tries to delete it, preventing the stack deletion failure.

The following are the steps that the DevOps engineer should take to reduce the latency of the Lambda function at all times of the day:

Configure provisioned concurrency on the Lambda function.

Configure AWS Application Auto Scaling on the Lambda function with provisioned concurrency values set to a minimum of 1 and a maximum of 100.

The provisioned concurrency setting ensures that there is always a minimum number of Lambda function instances available to handle requests. The Application Auto Scaling setting will automatically scale the number of Lambda function instances up or down based on the demand for the application.

This solution will ensure that the Lambda function is able to handle the increased load during the middle of the day, while also keeping the cold-start latency low.

The following are the reasons why the other options are not correct:

Option A is incorrect because it will not reduce the cold-start latency of the Lambda function.

Option B is incorrect because it will not scale the number of Lambda function instances up or down based on demand.

Option D is incorrect because it will only configure reserved concurrency on the API Gateway API, which will not affect the Lambda function.

https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/ https://kreuzwerker.de/post/aws-multi-account-setups-reloaded