Amazon Web Services DOP-C02 - AWS Certified DevOps Engineer - Professional

https://docs.aws.amazon.com/health/latest/ug/cloudwatch-events-health.html

The correct answer is C.

A comprehensive and detailed explanation is:

Option A is incorrect because using CloudWatch metrics to create a custom expression that identifies the CloudWatch log groups that have the most data being written to them is not a valid solution. CloudWatch metrics do not provide information about the size or volume of data being ingested by CloudWatch logs. CloudWatch metrics only provide information about the number of events, bytes, and errors that occur within a log group or stream. Moreover, creating a custom expression with CloudWatch metrics would require using the search_web tool, which is not necessary for this use case.

Option B is incorrect because using CloudWatch Logs Insights to create a set of queries for the application log groups to identify the number of logs written for a period of time is not a valid solution. CloudWatch Logs Insights can help analyze and filter log events based on patterns and expressions, but it does not provide information about the cost or billing of CloudWatch logs. CloudWatch Logs Insights also charges based on the amount of data scanned by each query, which could increase the logging costs further.

Option C is correct because using AWS Cost Explorer to generate a cost report that details the cost for CloudWatch usage is a valid solution. AWS Cost Explorer is a tool that helps visualize, understand, and manage AWS costs and usage over time. AWS Cost Explorer can generate custom reports that show the breakdown of costs by service, region, account, tag, or any other dimension. AWS Cost Explorer can also filter and group costs by usage type, which can help identify the specific CloudWatch log groups that are the source of the increased logging costs.

Option D is incorrect because using AWS CloudTrail to filter for CreateLogStream events for each application is not a valid solution. AWS CloudTrail is a service that records API calls and account activity for AWS services, including CloudWatch logs. However, AWS CloudTrail does not provide information about the cost or billing of CloudWatch logs. Filtering for CreateLogStream events would only show when a new log stream was created within a log group, but not how much data was ingested or stored by that log stream.

The problem is that the DevOps engineer cannot assume the OrganizationAccountAccessRole IAM role in the new member account that joined AnyCompany’s management account through an Organizations invitation. The solution is to create a new IAM role with the same name and trust policy in the new member account.

Option A is incorrect, as it does not address the root cause of the error. The DevOps engineer’s IAM user already has permission to assume the OrganizationAccountAccessRole IAM role in any member account, as this is the default role name that AWS Organizations creates when a new account joins an organization. The error occurs because the new member account does not have this role, as it was not created by AWS Organizations.

Option B is incorrect, as it does not address the root cause of the error. An SCP is a policy that defines the maximum permissions for account members of an organization or organizational unit (OU). An SCP does not grant permissions to IAM users or roles, but rather limits the permissions that identity-based policies or resource-based policies grant to them. An SCP also does not affect how IAM roles are assumed by other principals.

Option C is correct, as it addresses the root cause of the error. By creating a new IAM role with the same name and trust policy as the OrganizationAccountAccessRole IAM role in the new member account, the DevOps engineer can assume this role and access the account. The new role should have the AdministratorAccess AWS managed policy attached, which grants full access to all AWS resources in the account. The trust policy should allow the management account to assume the role, which can be done by specifying the management account ID as a principal in the policy statement.

Option D is incorrect, as it assumes that the new member account already has the OrganizationAccountAccessRole IAM role, which is not true. The new member account does not have this role, as it was not created by AWS Organizations. Editing the trust policy of a non-existent role will not solve the problem.

Comprehensive and Detailed Explanation From Exact Extract:

To aggregate events from multiple accounts into a single account, the default event bus in the receiving (DevOps) account must have a resource-based policy allowing the source accounts to put events into it.

Then, an EventBridge rule in each source account routes Amazon Connect events to the default event bus in the DevOps account (cross-account event delivery).

Options A and B describe policies or rules incorrectly applying permissions or routing. Option D mentions replay permissions, which are unrelated to event routing.

https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html

To archive CloudWatch Logs to S3 with long-term retention, you need:

a streaming mechanism to move data from CloudWatch Logs to S3, and

an S3 Lifecycle policy to handle tiering and expiration.

Option B uses a CloudWatch Logs subscription filter that targets Amazon Data Firehose. Firehose provides managed, scalable streaming from CloudWatch Logs to S3 with optional buffering and transformation. This is the AWS-recommended pattern for exporting continuous log streams with minimal operational overhead. Option C is not valid because CloudWatch Logs subscription filters cannot directly target S3; they must target Kinesis, Firehose, or Lambda.

Once logs are in S3, the company wants to keep them rarely accessed after 90 days and retained for 10 years. Option D configures an S3 lifecycle policy to transition logs to S3 Glacier Instant Retrieval after 90 days, which is a low-cost archival tier with relatively fast access, and to expire (delete) logs after 3,650 days (10 years). This precisely matches the retention requirement.

Option E uses Reduced Redundancy, which is a legacy storage class and not optimized for long-term archival. Therefore, the correct combination is B and D.

The requirement is to deploy a stateless application with multi-Region fault tolerance, ensuring high availability even if an entire AWS Region becomes unavailable. For this design, traffic must be actively served from both Regions, not only during a failure event.

Option C correctly implements an active-active, multi-Region architecture. By deploying the application to both EKS clusters, each Region is capable of serving traffic independently. Using Amazon Route 53 weighted routing, traffic is distributed across both Application Load Balancers, allowing both Regions to handle requests simultaneously. If one Region becomes unhealthy, Route 53 health checks can stop routing traffic to that Region, maintaining availability.

Implementing Kubernetes readiness and liveness probes ensures that traffic is only sent to healthy pods within each cluster. This provides fault tolerance at both the container level (pod health) and the Regional level (Route 53 routing).

Option A uses a failover routing policy, which results in an active-passive design. While fault tolerant, it does not utilize both Regions simultaneously and provides slower recovery during Region failure. Options B and D deploy the application only in the primary Region, which does not meet multi-Region fault tolerance requirements.

Therefore, Option C delivers the most resilient, highly available, and AWS-recommended architecture for a stateless, multi-Region EKS application.

https://docs.aws.amazon.com/glue/latest/dg/components-overview.html

Failed interactive logins such as ConsoleLogin are part of CloudTrail management events, not data events. The most direct, low-overhead design is to stream management events to CloudWatch Logs, then create a metric filter that matches failed ConsoleLogin events (for example, $.eventName = "ConsoleLogin" and $.responseElements.ConsoleLogin = "Failure" or $.errorMessage). That metric is then used as the basis for a CloudWatch alarm. When the alarm threshold (e.g., N failures in a period) is breached, the alarm triggers and sends a notification to the already created SNS topic, which alerts the security team.

Option A follows this recommended pattern: CloudTrail → CloudWatch Logs → Metric Filter → Alarm → SNS. It is fully managed, near real-time, and requires minimal custom logic.

Option B uses Athena with EventBridge to periodically query CloudTrail logs in S3. This introduces more moving parts, more configuration, higher latency, and more operational overhead.

Options C and D incorrectly reference CloudTrail data events and S3 event notifications, which are not the right mechanisms to detect ConsoleLogin failures. Console logins are not S3 events, and using data events would miss these management actions.

Therefore, Option A is the correct and simplest solution.