Amazon Web Services DOP-C02 - AWS Certified DevOps Engineer - Professional

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

Use CodePipeline with a Git source to orchestrate the flow, CodeBuild to produce versioned artifacts in S3, and CodeDeploy to EC2 with lifecycle hooks (e.g., BeforeInstall) to run cache-clearing and unpack steps. This gives end-to-end visibility, rollbacks, and standardized deployments.

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-managed-instance-activation.html

ï‚· Create an Amazon EventBridge Rule Using an AWS CloudTrail Event Pattern:

AWS CloudTrail logs API calls made in your account, including actions performed by roles.

Create an EventBridge rule that matches CloudTrail events where the AssumeRole API call is made to assume the administrator role.

ï‚· Invoke an AWS Lambda Function:

Configure the EventBridge rule to trigger a Lambda function whenever the rule's conditions are met.

The Lambda function will handle the logic to send a notification.

ï‚· Publish a Message to an Amazon SNS Topic:

The Lambda function will publish a message to an SNS topic to notify the security team.

Subscribe the security team’s email address to this SNS topic to receive real-time notifications.

Example EventBridge rule pattern:

{

"source": ["aws.cloudtrail"],

"detail-type": ["AWS API Call via CloudTrail"],

"detail": {

"eventSource": ["sts.amazonaws.com"],

"eventName": ["AssumeRole"],

"requestParameters": {

"roleArn": ["arn:aws:iam:::role/AdministratorRole"]

}

}

}

Example Lambda function (Node.js) to publish to SNS:

const AWS = require('aws-sdk');

const sns = new AWS.SNS();

exports.handler = async (event) => {

const params = {

Message: `Administrator role assumed: ${JSON.stringify(event.detail)}`,

TopicArn: 'arn:aws:sns:::'

};

await sns.publish(params).promise();

};

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises. SSM parameter store and AWS Secret manager are both a secure option. However, Secrets manager is more flexible and has more options like password generation. Reference: https://www.1strategy.com/blog/2019/02/28/aws-parameter-store-vs-aws-secrets-manager/

Comprehensive and Detailed Explanation From Exact Extract:

AWS CodeDeploy supports automatic rollback capabilities, which allow the deployment to automatically revert to the last known good revision if a failure occurs during the deployment or if health checks fail.

You can enable automatic rollback on CodeDeploy deployments by configuring rollback settings in the deployment group.

Automatic rollback triggers can include failed deployments and alarms failing during the deployment lifecycle, which means if the health check fails, CodeDeploy will automatically roll back without manual intervention.

Lifecycle event hooks (Option A) provide custom scripting capabilities during deployment but do not provide built-in rollback automation.

CloudFormation (Option B) can deploy and manage infrastructure but does not control CodeDeploy rollback.

CloudWatch alarms (Option C) can trigger notifications but require manual or additional automation to trigger rollback.Hence, enabling CodeDeploy’s automatic rollback settings is the simplest and most reliable method for automatic rollback upon health check failure.

Reference from AWS Official Documentation and Study Guide:

AWS CodeDeploy Automatic Rollback:"You can configure automatic rollback in AWS CodeDeploy to roll back a deployment if it fails or if specified CloudWatch alarms are triggered."(AWS CodeDeploy User Guide - Automatic Rollbacks)

AWS Certified DevOps Engineer Professional Study Guide:"Leverage CodeDeploy automatic rollback features to reduce downtime and ensure application stability during deployments."

https://docs.aws.amazon.com/codedeploy/latest/APIReference/API_BlueInstanceTerminationOption.html

The original revision termination settings are configured to wait 1 hour after traffic has been rerouted before terminating the blue task set. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html

The problem is that the DevOps engineer cannot assume the OrganizationAccountAccessRole IAM role in the new member account that joined AnyCompany’s management account through an Organizations invitation. The solution is to create a new IAM role with the same name and trust policy in the new member account.

Option A is incorrect, as it does not address the root cause of the error. The DevOps engineer’s IAM user already has permission to assume the OrganizationAccountAccessRole IAM role in any member account, as this is the default role name that AWS Organizations creates when a new account joins an organization. The error occurs because the new member account does not have this role, as it was not created by AWS Organizations.

Option B is incorrect, as it does not address the root cause of the error. An SCP is a policy that defines the maximum permissions for account members of an organization or organizational unit (OU). An SCP does not grant permissions to IAM users or roles, but rather limits the permissions that identity-based policies or resource-based policies grant to them. An SCP also does not affect how IAM roles are assumed by other principals.

Option C is correct, as it addresses the root cause of the error. By creating a new IAM role with the same name and trust policy as the OrganizationAccountAccessRole IAM role in the new member account, the DevOps engineer can assume this role and access the account. The new role should have the AdministratorAccess AWS managed policy attached, which grants full access to all AWS resources in the account. The trust policy should allow the management account to assume the role, which can be done by specifying the management account ID as a principal in the policy statement.

Option D is incorrect, as it assumes that the new member account already has the OrganizationAccountAccessRole IAM role, which is not true. The new member account does not have this role, as it was not created by AWS Organizations. Editing the trust policy of a non-existent role will not solve the problem.

Amazon ECR enhanced scanning uses Amazon Inspector for vulnerability detection.

EventBridge can capture Inspector scan findings.

Lambda can process scan findings and reject manual approval if critical vulnerabilities exist.

Options A and C use incorrect or less integrated services (basic scanning or Detective).

Option B adds unnecessary complexity with SBOM and Athena.

https://aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/

ï‚· Modify the Build Stage to Add a Test Action with a RunOrder Value of 2:

The build stage in AWS CodePipeline can have multiple actions. By adding a test action with a runOrder value of 2, the test action will execute after the initial build action completes.

ï‚· Use AWS CodeBuild as the Action Provider to Run Unit Tests:

AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.

Using CodeBuild to run unit tests ensures that the tests are executed in a controlled environment and that only the code changes that pass the unit tests proceed to the deploy stage.

Example configuration in CodePipeline:

{

"name": "BuildStage",

"actions": [

{

"name": "Build",

"actionTypeId": {

"category": "Build",

"owner": "AWS",

"provider": "CodeBuild",

"version": "1"

},

"runOrder": 1

},

{

"name": "Test",

"actionTypeId": {

"category": "Test",

"owner": "AWS",

"provider": "CodeBuild",

"version": "1"

},

"runOrder": 2

}

]

}

By integrating the unit tests into the build stage and ensuring they run after the build process, the pipeline guarantees that only code changes passing all unit tests are deployed.