Free Amazon Web Services DOP-C02 Practice Exam with Questions & Answers | Set: 9

This solution will meet the requirements because it will create a temporary copy of the production database using a snapshot, run the integration tests on the copy, and delete the copy after the tests are done. This way, the production database will not be affected by the code revisions, and the DevOps team can test the changes before deploying them to production. A buildspec file is a YAML file that contains the commands and settings that CodeBuild uses to run a build1. The buildspec file can specify the steps to restore the DB cluster from a snapshot, run the integration tests, and drop the restored database2

https://aws.amazon.com/about-aws/whats-new/2016/09/aws-codedeploy-introduces-deployment-monitoring-with-amazon-cloudwatch-alarms-and-automatic-deployment-rollback/

To meet the requirements of failover and disaster recovery, the company should use the following deployment strategies:

Create an Amazon Aurora global database in two AWS Regions as the data store. In the event of a failure, promote the secondary Region to the primary for the application. Update the application to use the Aurora cluster endpoint in the secondary Region. This strategy can provide a low RPO and RTO for the data, as Aurora global database replicates data with minimal latency across Regions and allows fast and easy failover12. The company can use the Amazon Aurora cluster endpoint to connect to the current primary DB cluster without needing to change any application code1.

Set up the application in two AWS Regions. Configure AWS Global Accelerator to point to Application Load Balancers (ALBs) in both Regions. Add both ALBs to a single endpoint group. Use health checks and Auto Scaling groups in each Region. This strategy can provide high availability and performance for the application, as AWS Global Accelerator uses the AWS global network to route traffic to the closest healthy endpoint3. The company can also use static IP addresses that are assigned by Global Accelerator as a fixed entry point for their application1. By using health checks and Auto Scaling groups, the company can ensure that their application can scale up or down based on demand and handle any instance failures4.

The other options are incorrect because:

Creating an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data store would not provide a fast failover or disaster recovery solution, as the company would need to manually restore data from backups or snapshots in another Region in case of a failure.

Creating an Amazon Aurora cluster in multiple AWS Regions as the data store and using a Network Load Balancer to balance the database traffic in different Regions would not work, as Network Load Balancers do not support cross-Region routing. Moreover, this strategy would not provide a consistent view of the data across Regions, as Aurora clusters do not replicate data automatically between Regions unless they are part of a global database.

Setting up the application in two AWS Regions and using Amazon Route 53 failover routing that points to Application Load Balancers in both Regions would not provide a low RTO, as Route 53 failover routing relies on DNS resolution, which can take time to propagate changes across different DNS servers and clients. Moreover, this strategy would not provide deterministic routing, as Route 53 failover routing depends on DNS caching behavior, which can vary depending on different factors.

AWS CodeArtifact is a fully managed artifact repository service that supports popular package formats and can proxy downstream public repositories securely. It integrates seamlessly with both AWS Cloud and on-premises environments and stores artifacts in highly durable object storage (Amazon S3). CodeArtifact encrypts data at rest and in transit by default.

Because there is currently no routing between the on-premises data center and AWS, establishing a third-party software VPN appliance for connectivity provides secure communication without requiring complex AWS Direct Connect or multiple VPN setups.

This solution can be deployed quickly (within two weeks), is highly available, and meets encryption requirements. Using CodeArtifact eliminates the need to maintain third-party artifact servers, reducing operational overhead and improving reliability.

Options B, C, and D introduce higher complexity with AWS Direct Connect or multiple VPN connections and third-party software that increases deployment time and operational burden, which is against the requirement for rapid deployment and high operational efficiency.

Reference from AWS Official Documentation:

AWS CodeArtifact Overview: " CodeArtifact is a fully managed artifact repository service that makes it easy for organizations to securely store, publish, and share software packages used in their software development process. " (AWS CodeArtifact Documentation)

Encryption in AWS CodeArtifact: " CodeArtifact encrypts data at rest and in transit by default. " (AWS CodeArtifact Security)

VPN Appliance Deployment: " Software VPN appliances are commonly used for secure, encrypted connectivity between on-premises data centers and AWS. " (AWS VPN Options)

To allow an EC2 instance to access CodeArtifact, an IAM role attached via an instance profile must be granted permissions to access the CodeArtifact repository. The EC2 instance assumes this role.

The instance then uses the AWS CLI command aws codeartifact login to authenticate and configure the package manager (e.g., pip) to use the CodeArtifact repository. This command obtains an authorization token and sets up repository credentials securely on the instance.

Service-linked roles (Option A) are managed by AWS services, not used for instance access. CodeArtifact does not support ACLs (Option C), and resource-based policies (Option B) do not grant access to EC2 instances by principal.

This method is standard for securely managing credentials and access to CodeArtifact in automated deployments.

AWS recommends centralizing CodeDeploy agent logs in Amazon CloudWatch Logs for efficient analysis. By configuring the CloudWatch agent or using the CodeDeploy console integration, you can stream logs in near-real time and query them with CloudWatch Logs Insights. This enables filtering by deployment lifecycle events, saving time versus manually connecting to instances. Refer to AWS documentation section “Monitoring and troubleshooting deployments with CodeDeploy and CloudWatch.”

Amazon GuardDuty provides built-in, fully managed threat detection for AWS accounts and workloads, including automatic detection of cryptocurrency mining activity, compromised EC2 instances, command-and-control traffic patterns, and anomalous behaviors. GuardDuty includes multiple threat identifiers such as EC2:CryptoCurrencyActivity.BitcoinToolDetected and EC2:UnauthorizedAccess.CryptoMining. Because this capability is native and requires no custom detection logic, it provides the lowest development and operational overhead compared to alternatives.

When GuardDuty generates a finding, it publishes the event automatically to Amazon EventBridge. The DevOps engineer can create an EventBridge rule that matches the specific mining-related finding types. The target of the rule is an AWS Lambda function that parses instance details from the finding and calls TerminateInstances on the affected EC2 instance.

This enables real-time automated remediation without needing recurring scans, log parsing, or complex data queries.

Options A and B require building custom detection pipelines and maintaining periodic Lambda polling, increasing long-term complexity. Option D (Security Hub) aggregates findings but still relies on GuardDuty for detection, adding unnecessary overhead.

Therefore, GuardDuty + EventBridge + Lambda termination is the easiest, quickest, and most AWS-recommended solution following incident-response best practices.

" You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as an Amazon Kinesis stream, an Amazon Kinesis Data Firehose stream, or AWS Lambda for custom processing, analysis, or loading to other systems. When log events are sent to the receiving service, they are Base64 encoded and compressed with the gzip format. " See https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html

The CfCT solution is designed for the exact purpose stated in the question. It extends the capabilities of AWS Control Tower by providing you with a way to automate resource provisioning and apply custom configurations across all AWS accounts created in the Control Tower environment. This enables the company to implement additional account customizations when new accounts are provisioned via the Control Tower Account Factory. The CloudFormation templates and SCPs can be added to a CodeCommit repository and will be automatically deployed to new accounts when they are created. This provides a highly automated solution that does not require manual intervention to deploy resources and SCPs to new accounts.

B. Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable. C. Store the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables. E. Use AWS Systems Manager run command versus scp and ssh commands directly to the instance.