Free Amazon Web Services DOP-C02 Practice Exam with Questions & Answers | Set: 3

The latency in processing and ingesting logs can be caused by several factors, such as the throughput of the Kinesis data stream, the concurrency of the Lambda function, and the configuration of the event source mapping. To reduce the latency, the following steps can be taken:

Create a data stream consumer with enhanced fan-out. Set the Lambda function that processes the logs as the consumer. This will allow the Lambda function to receive records from the data stream with dedicated throughput of up to 2 MB per second per shard, independent of other consumers1. This will reduce the contention and delay in accessing the data stream.

Increase the ParallelizationFactor setting in the Lambda event source mapping. This will allow the Lambda service to invoke more instances of the function concurrently to process the records from the data stream2. This will increase the processing capacity and reduce the backlog of records in the data stream.

Configure reserved concurrency for the Lambda function that processes the logs. This will ensure that the function has enough concurrency available to handle the increased load from the data stream3. This will prevent the function from being throttled by the account-level concurrency limit.

The other options are not effective or may have negative impacts on the latency. Option D is not suitable because increasing the batch size in the Kinesis data stream will increase the amount of data that the Lambda function has to process in each invocation, which may increase the execution time and latency4. Option E is not advisable because turning off the ReportBatchItemFailures setting in the Lambda event source mapping will prevent the Lambda service from retrying the failed records, which may result in data loss. Option F is not necessary because increasing the number of shards in the Kinesis data stream will increase the throughput of the data stream, but it will not affect the processing speed of the Lambda function, which is the bottleneck in this scenario.

1: Using AWS Lambda with Amazon Kinesis Data Streams - AWS Lambda

2: AWS Lambda event source mappings - AWS Lambda

3: Managing concurrency for a Lambda function - AWS Lambda

4: AWS Lambda function scaling - AWS Lambda

AWS Lambda event source mappings - AWS Lambda

Scaling Amazon Kinesis Data Streams with AWS CloudFormation - Amazon Kinesis Data Streams

 Create an Amazon EventBridge Rule Using an AWS CloudTrail Event Pattern:

AWS CloudTrail logs API calls made in your account, including actions performed by roles.

Create an EventBridge rule that matches CloudTrail events where the AssumeRole API call is made to assume the administrator role.

 Invoke an AWS Lambda Function:

Configure the EventBridge rule to trigger a Lambda function whenever the rule ' s conditions are met.

The Lambda function will handle the logic to send a notification.

 Publish a Message to an Amazon SNS Topic:

The Lambda function will publish a message to an SNS topic to notify the security team.

Subscribe the security team’s email address to this SNS topic to receive real-time notifications.

Example EventBridge rule pattern:

{

" source " : [ " aws.cloudtrail " ],

" detail-type " : [ " AWS API Call via CloudTrail " ],

" detail " : {

" eventSource " : [ " sts.amazonaws.com " ],

" eventName " : [ " AssumeRole " ],

" requestParameters " : {

" roleArn " : [ " arn:aws:iam:: < account-id > :role/AdministratorRole " ]

}

}

}

Example Lambda function (Node.js) to publish to SNS:

const AWS = require( ' aws-sdk ' );

const sns = new AWS.SNS();

exports.handler = async (event) = > {

const params = {

Message: `Administrator role assumed: ${JSON.stringify(event.detail)}`,

TopicArn: ' arn:aws:sns: < region > : < account-id > : < sns-topic > '

};

await sns.publish(params).promise();

};

Accessing a secret from AWS Secrets Manager that is encrypted with a customer managed KMS key requires two distinct permission layers to succeed:

Secrets Manager permissions (via IAM) such as secretsmanager:GetSecretValue for the IAM role assumed by the Kubernetes service account.

KMS key usage permissions in the KMS key policy , allowing the same IAM principal to perform kms:Decrypt (and possibly kms:GenerateDataKey ) on the customer managed key.

In this scenario, the service account assumes an IAM role explicitly created to access the secrets. The symptom is an HTTP 403 “Access Denied” when retrieving the secret. If the IAM role has Secrets Manager permissions but the call still fails, the typical root cause is that the KMS key policy does not trust or allow that IAM role , so the decrypt operation fails.

Option B correctly identifies that the KMS key policy must include the Kubernetes service account IAM role as a principal with the appropriate KMS actions.

Option A and C refer to the EKS cluster IAM role, which is not the principal making the call. Option D is unrelated: the role’s ability to “access the EKS cluster” does not affect its ability to call Secrets Manager or KMS. The missing KMS key policy permission is the underlying cause.

Option A is incorrect because EventBridge rules cannot filter events based on the message body or attributes of the target service. Therefore, configuring an SNS subscription filter policy to match the CloudFormation stack will not work. The SNS topic will receive all events from the EventBridge rule, regardless of the stack name or drift status.

Option B is incorrect because it introduces unnecessary complexity and cost. Creating a second Lambda function to query the CloudFormation API for the drift detection results is redundant, since CloudFormation already publishes drift detection events to EventBridge. Moreover, invoking two Lambda functions every hour will incur more charges than invoking one.

Option C is incorrect because GuardDuty does not provide drift detection for CloudFormation stacks. GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It does not monitor or report on configuration changes or drifts in CloudFormation stacks.

Option D is correct because it leverages AWS Config and its managed rule for drift detection. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It can detect configuration changes and drifts in CloudFormation stacks using the cloudformation-stack-drift-detection-check managed rule. This rule triggers an AWS Config event when a stack drifts from its expected template configuration. By creating a second EventBridge rule that reacts to this event for the specific stack, the DevOps engineer can configure the SNS topic as a target and receive a notification as soon as possible when drift is detected.

Activate AWS Control Tower Guardrail:

Use AWS Control Tower to activate a detective guardrail that checks whether RDS storage is encrypted.

Create SNS Topic for Notifications:

Set up an Amazon Simple Notification Service (SNS) topic in the audit account to receive notifications about non-compliant databases.

Create EventBridge Rule to Filter Non-compliant Events:

Create an Amazon EventBridge rule that filters events related to the guardrail ' s findings on non-compliant RDS instances.

Configure the rule to send notifications to the SNS topic when non-compliant events are detected.

Subscribe Security Engineer ' s Email to SNS Topic:

Subscribe the security engineer ' s email address to the SNS topic to receive notifications when non-compliant databases are detected.

By using AWS Control Tower to activate a detective guardrail and setting up SNS notifications for non-compliant events, the company can efficiently monitor and ensure that all RDS databases are encrypted at rest.

When using the awslogs log driver with Amazon ECS on EC2, CloudWatch Logs permissions must be granted to the ECS container instance IAM role , not the task definition or infrastructure role. The ECS agent running on the EC2 instances is responsible for creating log streams and pushing log events to Amazon CloudWatch Logs on behalf of the containers.

In this scenario, the task definition is correctly configured to automatically create the log group (awslogs-create-group: true) and send logs to the specified Region. However, the error occurs because the EC2 container instances do not have sufficient IAM permissions to perform the required CloudWatch Logs API calls. As a result, ECS cannot place the task, and it reports that no container instance meets the requirements.

According to AWS documentation, the container instance IAM role must include the following permissions when using the awslogs driver:

logs:CreateLogStream

logs:PutLogEvents

(and, when creating log groups automatically) logs:CreateLogGroup

Option C correctly addresses the root cause by updating the container instance IAM role . Option A is incorrect because the ECS infrastructure or service role is not used to write logs. Option B is unrelated to permissions and does not resolve the issue. Option D would fail because the log group does not already exist, causing task startup to fail.

Therefore, modifying the container instance IAM role is the correct solution.

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/automating-updates-to-serverless-apps.html

https://docs.aws.amazon.com/autoscaling/ec2/userguide/ASGettingNotifications.html#auto-scaling-sns-notifications

https://blog.fourninecloud.com/auto-scaling-lifecycle-hooks-to-export-server-logs-when-instance-terminating-58e06d7c0d6a