Amazon Web Services DOP-C02 - AWS Certified DevOps Engineer - Professional

AWS Organizations is a service that helps to manage multiple AWS accounts. AWS Control Tower is a service that makes it easy to set up and govern secure, compliant multi-account AWS environments. Account Factory for Terraform (AFT) is an AWS Control Tower feature that provisions new accounts using Terraform templates. To provision new accounts with the Enterprise Support plan, the DevOps engineer can set the aft_feature_enterprise_support feature flag to True in the AFT deployment input configuration. This flag enables the Enterprise Support plan for newly provisioned accounts.

https://docs.aws.amazon.com/controltower/latest/userguide/aft-feature-options.html

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

The requirement is to shift traffic automatically in equal increments over a defined total deployment time with no manual intervention. In AWS CodeDeploy blue/green deployments for Amazon ECS, the TimeBasedLinear traffic routing option is specifically designed for this purpose.

Option A is correct because:

TimeBasedLinear shifts traffic in equal percentages.

The deployment proceeds automatically at each interval.

linearPercentage defines how much traffic is shifted each time.

linearInterval defines how often the traffic shift happens.

This supports gradual traffic shifting and zero-downtime blue/green deployment behavior.

Why the other options are incorrect:

B. AllAtOnce shifts all traffic immediately, not in equal increments over time.

C. TimeBasedCanary shifts traffic in an initial portion and then the remainder later. That is not equal incremental shifting across the full deployment period.

D. This option is too generic and does not specifically identify the CodeDeploy configuration that provides equal incremental automatic traffic shifting. The exact feature required is TimeBasedLinear.

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-managed-instance-activation.html

Amazon ECR supports enhanced scanning powered by Amazon Inspector, which provides deeper security scanning for container images including OS and programming language package vulnerabilities.

Enabling enhanced scanning (Option B) allows detection of CRITICAL and HIGH vulnerabilities.

Amazon ECR emits scan completion events via EventBridge, which can trigger Lambda functions. The Lambda function can process the scan results from Amazon Inspector and programmatically approve or reject the image in the CI/CD pipeline (Option D).

Basic scanning (Option A) is limited and does not integrate with Inspector.

Options C and E describe functionalities not natively supported (ECR does not automatically submit Rejected status; Clair is not used in AWS ECR scanning).

When you create a pipeline from CodePipeline during the step-by-step it creates a CloudWatch Event rule for a given branch and repo

like this:

{

" source " : [

" aws.codecommit "

],

" detail-type " : [

" CodeCommit Repository State Change "

],

" resources " : [

" arn:aws:codecommit:us-east-1:xxxxx:repo-name "

],

" detail " : {

" event " : [

" referenceCreated " ,

" referenceUpdated "

],

" referenceType " : [

" branch "

],

" referenceName " : [

" master "

]

}

}

https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-trigger-source-repo-changes-console.html

If instead you want to automatically apply the policy to existing in-scope resources, choose Auto remediate any noncompliant resources. This option creates a web ACL in each applicable account within the AWS organization and associates the web ACL with the resources in the accounts. When you choose Auto remediate any noncompliant resources, you can also choose to remove existing web ACL associations from in-scope resources, for the web ACLs that aren ' t managed by another active Firewall Manager policy. If you choose this option, Firewall Manager first associates the policy ' s web ACL with the resources, and then removes the prior associations. If a resource has an association with another web ACL that ' s managed by a different active Firewall Manager policy, this choice doesn ' t affect that association.

(A) When Docker communicates with an Amazon Elastic Container Registry (ECR) repository, it requires authentication. You can authenticate your Docker client to the Amazon ECR registry with the help of the AWS CLI (Command Line Interface). Specifically, you can use the " aws ecr get-login-password " command to get an authorization token and then use Docker ' s " docker login " command with that token to authenticate to the registry. You would need to perform these steps in your buildspec.yml file before attempting to push or pull images from/to the ECR repository.

The requirements clearly indicate the need for modern CodePipeline capabilities , strict execution ordering, Git tag–based triggers, and loose coupling between pipelines. CodePipeline V2 introduces execution modes such as QUEUED and SUPERSEDED , along with native support for advanced trigger filtering when using AWS CodeConnections.

The requirement that the pipeline must wait for the previous run to finish directly maps to QUEUED mode , which ensures that pipeline executions run sequentially rather than replacing in-progress executions. SUPERSEDED mode would cancel the running execution, which violates the requirement.

Triggering the pipeline when new Git tags are pushed is supported through CodePipeline V2 trigger filters using refs/tags/*. Branch-based triggers would not satisfy this condition.

Finally, the requirement that an existing deployment pipeline runs in response to new container images is best met using Amazon EventBridge , which natively emits events for ECR image push actions . EventBridge allows decoupled, event-driven orchestration between pipelines without tight dependencies or custom scripting. This is the AWS-recommended approach for pipeline-to-pipeline coordination.

Options C and D rely on CodePipeline V1 , which lacks modern trigger filtering and execution control. Option B incorrectly uses SUPERSEDED mode and branch-based triggers.

Therefore, Option A correctly combines CodePipeline V2 , QUEUED execution mode , tag-based triggers , and EventBridge-driven pipeline chaining , meeting all requirements with best practices and minimal operational complexity.

The CfCT solution is designed for the exact purpose stated in the question. It extends the capabilities of AWS Control Tower by providing you with a way to automate resource provisioning and apply custom configurations across all AWS accounts created in the Control Tower environment. This enables the company to implement additional account customizations when new accounts are provisioned via the Control Tower Account Factory. The CloudFormation templates and SCPs can be added to a CodeCommit repository and will be automatically deployed to new accounts when they are created. This provides a highly automated solution that does not require manual intervention to deploy resources and SCPs to new accounts.