Amazon Web Services DOP-C02 - AWS Certified DevOps Engineer - Professional

The company needs multi-Region data persistence with immediate propagation and minimal operational overhead. For S3, the correct mechanism is S3 replication (Cross-Region Replication or Same-Region Replication), which continuously and asynchronously replicates new objects as they are written. Configuring two-way replication between the primary and secondary Region buckets ensures that objects written in either Region are replicated to the other automatically without custom code.

For DynamoDB, the native solution for multi-Region replication is DynamoDB global tables. Global tables provide multi-master, multi-Region replication with low-latency reads and writes in each Region and automatic propagation of changes. Converting existing tables into global tables and adding the secondary Region as a replica gives immediate, managed cross-Region replication with minimal maintenance.

Option A combines these two fully managed features: two-way S3 replication and DynamoDB global tables. This yields the highest operational efficiency.

Options B, C, and D rely on S3 Batch Operations or DynamoDB Streams + Lambda to manually copy data cross-Region. These approaches add complexity, custom code, and operational risk, and they are less suitable when AWS provides managed replication mechanisms specifically designed for this purpose.

Therefore, Option A is the correct and most efficient solution.

https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations.html

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer Documents Only:

AWS X-Ray provides distributed tracing for microservice-based applications. Deploying the X-Ray daemon as a DaemonSet in the EKS cluster and instrumenting the application with the X-Ray SDK enables end-to-end tracing across microservices, helping identify performance bottlenecks. This method is documented in “Using AWS X-Ray with Amazon EKS” (AWS Observability Guide).

CodeDeploy deployment failures must be diagnosed using deployment-specific logs and related application logs. CodeDeploy writes detailed logs on the target EC2 instances under /opt/codedeploy-agent/deployment-root/ (for example in logs and deployment-logs subdirectories). These logs include information about lifecycle events (BeforeInstall, AfterInstall, ApplicationStart, etc.), script execution failures, permissions issues, and any exit codes returned by deployment hooks.

Option C correctly points to CodeDeploy agent logs on the EC2 instances as the primary source for root cause analysis. Additionally, application-level logs streamed to Amazon CloudWatch Logs help validate whether the application itself is working correctly after deployment. For complex, multi-tier applications, AWS X-Ray can trace requests end to end, helping determine if issues are caused by downstream dependencies instead of the deployment process.

Options A, B, and D focus on network flow, generic performance, or high-level checks, none of which provide sufficient, deployment-level detail for CodeDeploy. Trusted Advisor and AWS Health do not surface step-by-step deployment log data. Therefore, the combination of CodeDeploy logs on the instances, CloudWatch Logs, and (optionally) X-Ray is the correct troubleshooting approach.

To meet the requirements of migrating its on-premises Windows and Linux applications to AWS and creating a pilot light DR environment in another AWS Region, the company should use Amazon FSx for NetApp ONTAP for the application storage. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, high-performing, and feature-rich file storage built on NetApp’s popular ONTAP file system. FSx for ONTAP supports multiple protocols, including SMB for Windows and NFS for Linux, so the company can access the shared storage from both types of applications. FSx for ONTAP also supports NetApp SnapMirror replication, which enables the company to replicate the storage to the DR Region. NetApp SnapMirror replication is efficient, secure, and incremental, and it preserves the data deduplication and compression benefits of FSx for ONTAP. The company can use automation to launch and configure the EC2 instances in the DR Region and then use NetApp SnapMirror to restore the data from the primary Region.

The other options are not correct because they do not meet the requirements or follow best practices. Using Amazon S3 for the application storage is not a good option because S3 is an object storage service that does not support SMB or NFS protocols natively. The company would need to use additional services or software to mount S3 buckets as file systems, which would add complexity and cost. Using Amazon EBS for the application storage is also not a good option because EBS is a block storage service that does not support SMB or NFS protocols natively. The company would need to set up and manage file servers on EC2 instances to provide shared access to the EBS volumes, which would add overhead and maintenance. Using a Volume Gateway in AWS Storage Gateway for the application storage is not a valid option because Volume Gateway does not support SMB protocol. Volume Gateway only supports iSCSI protocol, which means that only Linux applications can access the shared storage.

1: What is Amazon FSx for NetApp ONTAP? - FSx for ONTAP

2: Amazon FSx for NetApp ONTAP

3: Amazon FSx for NetApp ONTAP | NetApp

4: AWS Announces General Availability of Amazon FSx for NetApp ONTAP

Replicating Data with NetApp SnapMirror - FSx for ONTAP

What Is Amazon S3? - Amazon Simple Storage Service

What Is Amazon Elastic Block Store (Amazon EBS)? - Amazon Elastic Compute Cloud

What Is AWS Storage Gateway? - AWS Storage Gateway

Installing the CloudWatch agent and instrumenting the application to push custom metrics to the agent is the easiest and lowest overhead method.

Prometheus (B) adds operational complexity.

Lambda polling (C) introduces unnecessary complexity and latency.

Using Logs Insights (D) requires extracting metrics from logs, which is less efficient.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule that matches an AWS Config evaluation result of NON_COMPLIANT for the restricted-ssh rule. Configure an input transformer for the EventBridge (CloudWatch Events) rule. Configure the EventBridge (CloudWatch Events) rule to publish a notification to the SNS topic. This approach uses Amazon EventBridge (previously known as Amazon CloudWatch Events) to filter AWS Config evaluation results based on the restricted-ssh rule and its compliance status (NON_COMPLIANT). An input transformer can be used to customize the information contained in the notification, such as the name and ID of the noncompliant security group. The EventBridge (CloudWatch Events) rule can then be configured to publish a notification to the SNS topic, which will notify the appropriate personnel in real-time.

Option A is incorrect because creating an Amazon EventBridge rule that invokes an AWS Lambda function to query the applications on a 5-minute interval is not a valid solution. EventBridge rules can only trigger Lambda functions based on events, not on time intervals. Moreover, querying the applications on a 5-minute interval might incur unnecessary costs and network overhead, and might not detect performance issues in real time.

Option B is correct because creating an Amazon CloudWatch Synthetics canary that runs a custom script to query the applications on a 5-minute interval is a valid solution. CloudWatch Synthetics canaries are configurable scripts that monitor endpoints and APIs by simulating customer behavior. Canaries can run as often as once per minute, and can measure the latency and availability of the applications. Canaries can also send notifications to an Amazon SNS topic when they detect errors or performance issues1.

Option C is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution. The RequestCountPerTarget metric measures the number of requests completed or connections made per target in a target group2. This metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the number of connections becomes greater than the configured number of threads that the application supports is not a valid way to measure the application performance, as it depends on the application design and implementation.

Option D is incorrect because creating an Amazon CloudWatch alarm that uses the AWS/ApplicationELB namespace RequestCountPerTarget metric is not a valid solution, for the same reason as option C. The RequestCountPerTarget metric does not reflect the application response time, which is the requirement. Moreover, configuring the CloudWatch alarm to send a notification when the average response time becomes greater than the longest response time that the application supports is not a valid way to measure the application performance, as it does not account for variability or outliers in the response time distribution.

https://repost.aws/knowledge-center/cloudformation-update-rollback-failed If your stack is stuck in the UPDATE_ROLLBACK_FAILED state after a failed update, then the only actions that you can perform on the stack are the ContinueUpdateRollback or DeleteStack operations.

The best solution to implement failover for the application is to use CloudFront origin groups. Origin groups allow CloudFront to automatically switch to a secondary origin when the primary origin is unavailable or returns specific HTTP status codes that indicate a failure1. This way, CloudFront can serve the requests from the secondary ALB in the secondary Region without any delay or redirection. To set up origin groups, the DevOps engineer needs to create a new origin on the distribution for the secondary ALB, create a new origin group with the original ALB as the primary origin and the secondary ALB as the secondary origin, and configure the origin group to fail over for HTTP 5xx status codes. Then, the DevOps engineer needs to update the default behavior to use the origin group instead of the single origin2.

The other options are not as effective or efficient as the solution in option B. Option A is not suitable because creating a second CloudFront distribution will increase the complexity and cost of the application. Moreover, using Route 53 alias records with a failover policy will introduce some delay in detecting and switching to the secondary CloudFront distribution, which may not meet the zero-second RTO requirement. Option C is not feasible because CloudFront does not support using Route 53 alias records as origins3. Option D is not advisable because using a CloudFront function to redirect the requests to the secondary ALB will add an extra round-trip and latency to the failover process, which may also not meet the zero-second RTO requirement.

1: Optimizing high availability with CloudFront origin failover - Amazon CloudFront

2: Creating an origin group - Amazon CloudFront

3: Values That You Specify When You Create or Update a Web Distribution - Amazon CloudFront