Amazon Web Services DOP-C02 - AWS Certified DevOps Engineer - Professional

Option B is the only choice that directly satisfies both requirements:

Continuously evaluate the account-level S3 Block Public Access setting

AWS Config is designed to record configuration state and evaluate resources/settings against rules over time.

A Config rule (managed rule) can check whether the account-level “S3 Block Public Access” settings are configured as required (i.e., blocking public access).

Automatically revert drift (auto-remediate) if someone changes the setting later

AWS Config Remediation can automatically trigger an AWS Systems Manager Automation runbook when the rule becomes NON_COMPLIANT .

Using an SSM Automation document/runbook that sets S3 account-level Block Public Access back to the required “blocked” configuration ensures that any future change is corrected automatically , restoring compliance without manual intervention.

Why the other options don’t fully meet the requirement:

A (Security Hub) : Security Hub primarily aggregates findings and checks controls. While it can integrate with automation, AWS Config is the standard service for configuration drift detection + automatic remediation loops for account-level posture settings. Security Hub is not the most direct “detect config drift and auto-fix” mechanism for an account setting in the way Config remediation is.

C (SCP) : An SCP can restrict API actions, but it doesn’t “revert” a changed S3 Block Public Access configuration ; it only prevents/limits what actions can be called. Also, “deny S3 actions from outside the account” is not the same as enforcing Block Public Access settings at the account level.

D (Macie + EventBridge) : Macie focuses on data discovery and sensitive data findings , not enforcing or continuously remediating S3 account-level Block Public Access configuration drift. Triggering remediation off Macie findings is indirect and not aligned to “setting changed → immediately revert.”

ï‚· Turn off cross-zone load balancing on the ALB ' s target group:

Cross-zone load balancing distributes traffic evenly across all registered targets in all enabled Availability Zones. Turning this off will ensure that each target group only handles requests from its respective Availability Zone.

To disable cross-zone load balancing:

Go to the Amazon EC2 console.

Navigate to Load Balancers and select the ALB.

Choose the Target Groups tab, select the target group, and then select the Group details tab.

Click on Edit and turn off Cross-zone load balancing.

ï‚· Use Amazon Route 53 Application Recovery Controller to start a zonal shift away from the Availability Zone:

Amazon Route 53 Application Recovery Controller provides the ability to control traffic flow to ensure high availability and disaster recovery.

By using Route 53 Application Recovery Controller, you can perform a zonal shift to redirect traffic away from the unhealthy Availability Zone.

To start a zonal shift:

Configure Route 53 Application Recovery Controller by creating a cluster and control panel.

Create routing controls to manage traffic shifts between Availability Zones.

Use the routing control to shift traffic away from the affected Availability Zone.

ï‚· Step 1: Using AWS IAM Identity Center for SAML-based Identity Federation

To ensure that all users accessing the AWS Management Console are authenticated via the corporate identity provider (IdP), the best approach is to set up identity federation with AWS IAM Identity Center (formerly AWS SSO) using SAML 2.0.

Action: Use AWS IAM Identity Center to configure identity federation with the corporate IdP that supports SAML 2.0.

Why: SAML 2.0 integration enables single sign-on (SSO) for users, allowing them to authenticate through the corporate IdP and gain access to AWS resources.

 The correct solution is to create a new assertion safety rule in Route 53 ARC and apply it to the two routing controls. An assertion safety rule is a type of safety rule that ensures that a minimum number of routing controls are always enabled. The ATLEAST type of assertion safety rule specifies the minimum number of routing controls that must be enabled for the rule to evaluate as healthy. By setting the threshold to 1, the rule ensures that at least one routing control is always turned on. This prevents the scenario where both routing controls are accidentally turned off and the application becomes unavailable in both Regions.

The other solutions are incorrect because they do not use safety rules to prevent both routing controls from being turned off. A gating safety rule is a type of safety rule that prevents routing control state changes that violate the rule logic. The OR type of gating safety rule specifies that one or more routing controls must be enabled for the rule to evaluate as healthy. However, this rule does not prevent a user from turning off both routing controls manually. A resource set is a collection of resources that are tested for readiness by Route 53 ARC. A readiness check is a test that verifies that all the resources in a resource set are operational. However, these concepts are not related to routing control states or safety rules. Therefore, creating a new resource set and a new readiness check will not ensure that at least one routing control is turned on at all times. References:

Routing control in Amazon Route 53 Application Recovery Controller

Viewing and updating routing control states in Route 53 ARC

Creating a control panel in Route 53 ARC

Creating safety rules in Route 53 ARC

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html

The key requirement is to prevent non-approved EC2 instance types from being created at stack creation time , specifically when developers deploy AWS CloudFormation stacks. This is a pre-deployment enforcement requirement, not a detection or remediation requirement after resources already exist.

CloudFormation Guard Hooks are purpose-built for this use case. They allow organizations to define policy-as-code rules that validate CloudFormation templates before resources are created or updated. By writing a CloudFormation Guard rule that explicitly checks the InstanceType property against an approved allow list, the stack operation will fail immediately if a developer attempts to use a disallowed instance type. This enforces compliance early in the deployment lifecycle and avoids post-deployment cleanup.

Option B uses AWS Config, which only detects noncompliance after resources are created. Even with remediation, the instance would still be launched briefly, which violates the requirement. Option C uses an SCP, which applies broadly to all EC2 launches in the organization and is not limited to CloudFormation stacks; this is overly restrictive and could unintentionally block other valid use cases. Option A incorrectly combines Lambda with Guard Hooks—Guard Hooks natively evaluate Guard rules and do not invoke Lambda functions.

Therefore, using a CloudFormation Guard rule with a Guard Hook is the correct and AWS-recommended solution for enforcing approved EC2 instance types during CloudFormation deployments.

This solution will meet the requirements because it will use a rolling restart to gradually replace the EC2 instances in the green environment with new instances that have the new software version installed. A rolling restart is a process that terminates and launches instances in batches, ensuring that there is always a minimum number of healthy instances in service. This way, the green environment can be updated without affecting the availability or performance of the application. When the rolling restart is complete, the DevOps engineer can use an AWS CLI command to modify the listener rules of the ALB and change the default action to forward traffic to the green environment’s target group. This will switch the traffic from the blue environment to the green environment all at once, as required by the question.

To achieve multi-Region high availability for a serverless API-based application, the architecture must be duplicated in the second Region and supported by a multi-Region data layer and appropriate DNS routing. Option A provides the required multi-Region data layer using DynamoDB global tables , which replicate data automatically and asynchronously between Regions. This allows reads and writes in either Region and prevents cross-Region latency bottlenecks.

Option C ensures that the compute components—API Gateway REST API and AWS Lambda functions—are deployed in both Regions. Each Region operates independently, providing true active-active redundancy and allowing Route 53 to route traffic directly to either Region without dependency on the other.

Option E selects Route 53 latency-based routing , which directs each user to the Region with the lowest round-trip latency. This meets the requirement to route traffic based on the Region providing the best response time rather than only providing active-passive failover.

Option D (failover routing) supports active-standby topologies, not active-active. Option B creates a global secondary index, which does not provide multi-Region replication. Option F (multivalue routing) distributes traffic randomly and does not account for latency or Region placement.

Thus, combining DynamoDB global tables, duplicated serverless architecture, and latency-based routing fully satisfies the requirements.

Amazon FSx for NetApp ONTAP provides NetApp ONTAP features in AWS, including SnapMirror replication and storage efficiencies like deduplication and compression. Create FSx for ONTAP in each Region and use SnapMirror from on-prem ONTAP to each Region for efficient, incremental replication. Regions can serve data independently of on-prem availability once replicated.