Amazon Web Services DOP-C02 - AWS Certified DevOps Engineer - Professional

B. Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable. C. Store the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables. E. Use AWS Systems Manager run command versus scp and ssh commands directly to the instance.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer Documents Only:

AWS recommends Application Auto Scaling for ECS services to dynamically adjust the number of running tasks based on Amazon SQS queue metrics such as ApproximateNumberOfMessagesVisible. By using target tracking scaling policies, ECS on Fargate scales automatically when the queue backlog grows and scales down when traffic decreases — a fully managed, cost-efficient solution (see ECS Service Auto Scaling Developer Guide).

https://aws.amazon.com/about-aws/whats-new/2016/09/aws-codedeploy-introduces-deployment-monitoring-with-amazon-cloudwatch-alarms-and-automatic-deployment-rollback/

https://aws.amazon.com/blogs/mt/how-to-centrally-manage-aws-iot-greengrass-devices-using-aws-systems-manager/?force_isolation=true

https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/

To meet the requirements of deploying a workload on several hundred EC2 instances with least-privilege permissions and temporary security credentials, the company should use an IAM role and an instance profile. An IAM role is a way to grant permissions to an entity that you trust, such as an EC2 instance. An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. By using an IAM role and an instance profile, the EC2 instances can automatically receive temporary security credentials from the AWS Security Token Service (STS) and use them to access the S3 buckets. This way, the company does not need to manage or rotate any long-term credentials, such as IAM users or access keys.

To use an IAM role and an instance profile, the company should create an IAM role that has the appropriate permissions for S3 buckets. The permissions should allow the EC2 instances to read from the source S3 bucket and write to the destination S3 bucket. The company should also create a trust policy for the IAM role that specifies that EC2 is allowed to assume the role. Then, the company should add the IAM role to an instance profile. An instance profile can have only one IAM role, so the company does not need to create multiple roles or profiles for this scenario.

Next, the company should update the launch template to include the IAM instance profile. A launch template is a way to save launch parameters for EC2 instances, such as the instance type, security group, user data, and IAM instance profile. By using a launch template, the company can ensure that all EC2 instances in the Auto Scaling group have consistent configuration and permissions. The company should specify the name or ARN of the IAM instance profile in the launch template. This way, when the Auto Scaling group launches new EC2 instances based on the launch template, they will automatically receive the IAM role and its permissions through the instance profile.

The other options are not correct because they do not meet the requirements or follow best practices. Creating an IAM user and generating a secret key and token is not a good option because it involves managing long-term credentials that need to be rotated regularly. Moreover, embedding credentials in user data is not secure because user data is visible to anyone who can describe the EC2 instance. Creating a trust anchor and profile is not a valid option because trust anchors are used for certificate-based authentication, not for IAM roles or instance profiles. Modifying user data to use a new secret key and token is also not a good option because it requires updating user data every time the credentials change, which is not scalable or efficient.

1: AWS Certified DevOps Engineer - Professional Certification | AWS Certification | AWS

2: DevOps Resources - Amazon Web Services (AWS)

3: Exam Readiness: AWS Certified DevOps Engineer - Professional

IAM Roles for Amazon EC2 - AWS Identity and Access Management

Working with Instance Profiles - AWS Identity and Access Management

Launching an Instance Using a Launch Template - Amazon Elastic Compute Cloud

Temporary Security Credentials - AWS Identity and Access Management

The root cause of the problem is that the RDS PostgreSQL instance is exceeding its database connection limit due to high volumes of concurrent GET requests. The most efficient and lowest-effort remediation is to reduce the number of connections that reach the database and serve as many reads as possible from a cache layer. Option B accomplishes both goals with minimal changes to the existing architecture.

First, RDS Proxy manages database connections efficiently by pooling and reusing them. This reduces connection churn and prevents the Lambda function from opening excessive concurrent connections during traffic spikes. RDS Proxy is natively integrated with RDS and requires only minor configuration changes without altering application logic.

Second, enabling API Gateway caching allows caching GET responses directly at the API layer. Because over 90% of requests are GET operations, enabling caching drastically reduces traffic hitting both Lambda and RDS, significantly improving performance and lowering connection pressure.

Option C also improves read scaling, but adding ElastiCache introduces additional infrastructure and requires modifying application code to query Redis before querying the database. This is more complex than enabling API Gateway caching. Options A and D require full database migration, which is far more labor-intensive.

Option B is the simplest, most effective, and most aligned with AWS best practices for reducing RDS connection saturation.

The following are the steps that the company can take to change the log level dynamically when the deployment occurs:

Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_NAME to identify which deployment group the instance is part of.

Use this information to configure the log level settings.

Reference this script as part of the BeforeInstall lifecycle hook in the appspec.yml file.

The DEPLOYMENT_GROUP_NAME environment variable is automatically set by CodeDeploy when the deployment is triggered. This means that the script does not need to call the metadata service or the EC2 API to identify the deployment group.

This solution is the least complex and requires the least management overhead. It also does not require different script versions for each deployment group.

The following are the reasons why the other options are not correct:

Option A is incorrect because it would require tagging the Amazon EC2 instances, which would be a manual and time-consuming process.

Option C is incorrect because it would require creating a custom environment variable for each environment. This would be a complex and error-prone process.

Option D is incorrect because it would use the DEPLOYMENT_GROUP_ID environment variable. However, this variable is not automatically set by CodeDeploy, so the script would need to call the metadata service or the EC2 API to get the deployment group ID. This would add complexity and overhead to the solution.

ï‚· Step 1: Attaching the CloudWatchAgentServerPolicy to the IAM Role

The CloudWatch agent needs permissions to collect and send metrics, including memory metrics, to Amazon CloudWatch. You can attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM instance profile or service account role to grant these permissions.

Action: Attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM instance profile that the EKS cluster uses.

Why: This ensures the CloudWatch agent has the necessary permissions to collect memory metrics.