AWS Certified DevOps Engineer - Professional (DOP-C02)

Increasing retry attempts does not reduce the number of error-free records retried; it typically increases it. With Kinesis batch retries, the whole batch is retried when any record causes a failure, so more retries means more duplicate sends to the ERP endpoint and a higher chance that good records eventually land in the DLQ after repeated failures. This can also increase downstream load and complicate idempotency.

Increasing parallelization factor increases the number of concurrent batches processed per shard, improving throughput and reducing lag. However, it does not change the fundamental behavior that a single failing record causes the entire batch to be retried. Therefore, it will not reduce the number of good records retried or sent to the DLQ; it may even increase duplicate deliveries to the ERP endpoint under failure conditions.

Decreasing maximum record age causes Lambda to stop retrying older records sooner and send them to the on-failure destination earlier. This does not isolate the failing record within a batch; instead, it can increase the number of records (including valid ones) that are discarded to the DLQ because the batch keeps failing and ages out. It reduces recovery time at the cost of higher data loss/noise.

Route 53 health checks can provide failover between Regional API endpoints, but this design uses separate, Region-local DynamoDB tables with no replication mechanism. That fails the requirement for active-active operation with writes available in both Regions and consistent data across Regions. It also creates operational complexity for reconciliation and can lead to divergent state during partial outages.

This is effectively active-passive with a custom failover mechanism. Running a Lambda every 5 minutes to probe health and update Route 53 is slower than native Route 53 health checks and introduces additional failure modes and propagation delays. It also conflicts with the requirement for automatic failover and high availability (99.99%), where you want built-in health checks and active-active traffic handling.

A single API Gateway in us-east-1 is not multi-Region and becomes a single point of failure and latency bottleneck for EU merchants. API Gateway cannot transparently “forward” requests to a Lambda in another Region as a native closest-Region feature; cross-Region invocation would add latency and complexity. A single-Region DynamoDB table also does not meet the requirement for multi-Region active-active writes.

DeletionPolicy: Delete only tells CloudFormation what to do with the resource when the stack is deleted, but it does not override S3’s requirement that a bucket must be empty before deletion. With versioning enabled, delete markers and old versions still count as contents. The stack will still fail with DELETE_FAILED if objects/versions remain, so this does not solve the root cause.

Manually emptying the bucket (including versions) will work, but it is not efficient and does not meet the requirement for automatic removal. It introduces operational toil and risk of inconsistent cleanup, especially for nightly proof-of-concept stacks. Certification questions typically penalize manual steps when an automated IaC-based approach is feasible.

Replacing the solution with CodePipeline is unnecessary and does not address the core issue: S3 bucket deletion requires emptying versioned contents. A pipeline stage for teardown is an anti-pattern for simple stack lifecycle management and adds complexity, cost, and maintenance. CloudFormation already orchestrates resource creation/deletion; the missing piece is automated bucket cleanup, best handled by a custom resource.

Incorrect. Single-AZ Aurora clusters in multiple Regions do not provide continuous replication between Regions, so RPO is not assured. Single-AZ also reduces availability within each Region and increases recovery time for AZ-level failures. “Aurora automatic recovery” primarily addresses instance/storage failures within a Region, not cross-Region disaster recovery with guaranteed RPO/RTO targets.

Incorrect. You cannot place independent Aurora clusters behind an NLB to distribute SQL traffic across Regions as if they were interchangeable endpoints; this would not provide consistent reads/writes and would create data divergence without a supported multi-writer architecture. Aurora does not support active/active multi-Region writers in this manner, and NLB is not a database replication or consistency mechanism.

This option is not the expected exam answer, but the explanation should be more precise. AWS Global Accelerator can provide fast cross-Region failover for the application tier by routing users to healthy ALB endpoints in another Region, so from a pure application-availability perspective it can support the required RTO. However, the question asks for a deployment strategy combination typically associated with disaster recovery, and Route 53 failover routing is the more canonical AWS DR pattern tested for regional failover. In addition, the wording about placing both ALBs in a single endpoint group is not the usual multi-Region design pattern, which makes D the clearer and more standard choice for the application component.

Incorrect. AmazonRDSFullAccess is an IAM policy. IAM permissions cannot override an explicit Deny from an SCP. The error explicitly states the action was blocked by an Organizations SCP, so adding more IAM permissions (even admin) will not help until the SCP no longer denies rds:CreateDBInstance.

Incorrect. Attaching a new SCP that allows RDS to the ext-ml account does not override the analytics OU SCP’s explicit Deny. SCPs combine as guardrails, and explicit Deny in any applicable SCP still blocks the action. You would need to remove/modify the deny condition in the OU SCP (or move the account).

Incorrect. A root OU SCP that allows all actions does not cancel a child OU SCP’s explicit Deny. SCP evaluation requires the action to be permitted by all applicable SCP constraints; any explicit Deny still wins. Therefore, adding an allow-RDS SCP at the root will not enable RDS in an OU that explicitly denies it.

Incorrect. Using AWS Health as the event source is the right starting point, but targeting AWS-RestartEC2Instance directly from EventBridge causes the automation to run as soon as the event is received. That means the reboot would happen immediately instead of waiting for the approved Sunday 01:00–03:00 UTC maintenance window. The option therefore fails the core scheduling requirement even though the source service is appropriate.

Incorrect. Systems Manager maintenance window events are not the correct trigger for detecting scheduled instance retirement or underlying host maintenance notifications. The impacted resources and maintenance requirement originate from AWS Health, not from the maintenance window itself. This option also does not explain how the specific affected EC2 instances would be identified and passed to the restart automation.

Incorrect. EC2 instance state-change notifications are not the authoritative signal for upcoming scheduled retirement or host maintenance actions. Those notifications come from AWS Health and are published before the disruptive event so remediation can be planned. Although Lambda could register a maintenance window task, this option starts from the wrong event source and may miss the required proactive handling.

Incorrect. AWS Config rules evaluate resource compliance and can trigger notifications/remediation, but they are not designed to distribute a versioned file to EC2 instances. Putting file content in InputParameters is not a practical or intended mechanism for instance bootstrapping. Systems Manager Resource Data Sync does not “poll for configuration updates” to apply changes; it syncs inventory/compliance data to S3 for reporting.

Partially correct idea (cfn-init + cfn-hup), but incorrect placement. Embedding the file content in the EC2 launch template is not what cfn-hup monitors; cfn-hup watches CloudFormation resource metadata changes. If the config is only in the launch template data, existing instances will not automatically update from stack changes unless you also manage it via CloudFormation::Init metadata and re-run cfn-init.

Incorrect. Embedding config in the launch template only affects newly launched instances; it does not update already-running instances within 3 minutes without replacement. Additionally, Systems Manager Resource Data Sync is not a configuration distribution mechanism and will not apply file changes to instances. This option fails both the in-place update requirement and the correct use of SSM features.

Incorrect. Switching the ALB listener to tg-green before the rolling update means traffic is sent to instances that may be launching, failing health checks, or running the old/partial version. Because ALB only routes to healthy targets, you could see reduced capacity or 5xx/connection issues during deployment, violating the requirement for minimal impact during the cutover.

Incorrect. Updating the blue launch template and rolling api-blue-asg is a rolling deployment, not a blue/green cutover. It does not provide an instantaneous 100% traffic shift; instead, it gradually replaces instances behind the same target group. This increases risk (mixed versions serving traffic) and can exceed the 30-second impact requirement if any instance replacement causes capacity dips or errors.

Incorrect. Changing Route 53 to point to a “green endpoint” relies on DNS caching and propagation behavior outside AWS control. Even with a 300-second TTL, clients and resolvers may retain cached records longer, and existing TCP/TLS sessions to the ALB won’t immediately move. The requirement explicitly forbids relying on DNS propagation for the cutover.

CloudFormation service roles can standardize permissions, but this does not prevent teams from using arbitrary/raw CloudFormation templates; they could still submit any template they want. CloudFormation drift detection is also not an always-on, centralized multi-account/multi-Region compliance mechanism; it is stack-scoped and typically initiated on demand. It also won’t cover resources not managed by stacks.

AWS Config managed rules can detect noncompliant configurations across accounts/Regions (with an aggregator), but this option fails the governance requirement: it still allows teams to deploy CloudFormation stacks directly from raw templates. A service role only controls what CloudFormation can do, not what templates users are allowed to submit. The question explicitly requires provisioning only through pre-approved blueprints and preventing raw template usage.

Service Catalog helps with approved products, and template constraints can restrict parameter values, but this does not address centralized, continuous drift/compliance detection across 14 accounts and 6 Regions. CloudFormation drift detection events are limited to stack drift (not broader configuration compliance), and relying on EventBridge notifications from drift detection presumes drift detection is being run and does not provide the same comprehensive, aggregated compliance view as AWS Config.

Incorrect. The DR account does not need to read from the source account’s backup vault for cross-account copy. The copy is initiated by AWS Backup based on the backup plan and writes into the destination vault. The key authorization point for the vault is on the destination vault policy (allowing write), not on the source vault policy granting read.

Incorrect. Backup vault policies do not grant access to KMS keys in another account. KMS authorization is controlled by the KMS key policy (and possibly grants), not by the backup vault access policy. You must update the destination CMK policy in the DR account to allow AWS Backup (and the source account context) to use it.

Incorrect. Sharing the source account CMK (alias/ops-backup) with the DR account is not the primary requirement for cross-account copy into a DR vault encrypted with a DR-owned CMK. AWS Backup copies and re-encrypts the recovery point using the destination vault’s encryption key. The missing permission is typically on the destination vault policy and destination CMK policy.

Incorrect. CodeBuild does not provide a security control called a custom “AllowedBuckets” setting that enforces S3 authorization. Even if you switch to the AWS CLI, you still must remove public access and ensure the bucket policy/IAM permissions are correctly configured. This option is vague and does not explicitly meet the requirement to block public access and enforce IAM-based authentication.

Incorrect. S3 does not support “HTTPS basic authentication” as a native bucket feature. Using cURL with a static token also violates the requirement that no long-term credentials be stored in the build environment. This approach introduces secret management risk and is not aligned with AWS best practices for service-to-service authentication.

Incorrect. Embedding an IAM access key and secret access key as environment variables is explicitly disallowed (“no long-term credentials”). It also increases blast radius if leaked via logs, misconfiguration, or compromised build containers. The secure pattern is to use the CodeBuild service role with temporary credentials, not static IAM user keys.

This is an improvised pipeline (FSx NFS -> S3 -> CRR) that adds complexity and likely fails the intent of “file storage” DR for an NFS-mounted application. It changes the storage interface (NFS to object) and requires custom logic to detect/copy changes, handle deletes, permissions, and consistency. It may not reliably meet a 10-minute RPO and is not an FSx for ONTAP DR pattern.

AWS Backup supports FSx for ONTAP backups and cross-Region copy, but a 10-minute backup frequency is generally impractical and may not be supported as a standard plan frequency for this workload, and backup/restore is not the same as near-real-time replication. Even if scheduled frequently, backup jobs and copy jobs introduce latency and operational uncertainty, risking violation of the 10-minute RPO.

This targets the wrong data. The question states no application data resides on EKS nodes, and instance store volumes are ephemeral and cannot be snapshotted to EBS snapshots. Even if the nodes used EBS, snapshotting worker nodes would not capture the shared NFS state on FSx for ONTAP. This option is both technically flawed and misaligned with the stated architecture.

Incorrect. Creating a new ECR repository in Account B directly violates the requirement that images must continue to be pulled from the single ECR repository in Account A (no duplicate repositories). While the endpoints would help with private connectivity, this option changes the source of truth to a local repo in Account B, which is explicitly disallowed by compliance requirements.

Incorrect. Cross-account repository policy and IAM permissions are necessary but not sufficient because Account B’s production VPC has no IGW or NAT. Without VPC endpoints, the EKS nodes cannot reach the ECR API/registry endpoints or S3 to download image layers. Image pulls would fail due to lack of network path, and traffic would not be constrained to the AWS private network.

Incorrect. ECR private image replication would create a copy of the repository/images in Account B (a destination repository), which violates the requirement that no replication or duplicate repositories are allowed and that images must continue to be pulled from the single repository in Account A. Replication is a common best practice for multi-account resiliency, but it is explicitly prohibited here.

Incorrect. AWS X-Ray is an application performance monitoring (APM) and distributed tracing service used to analyze request flows and latency across microservices. It does not query CSV data in S3, manage table metadata, or provide BI dashboards. It might be used to trace an ingestion pipeline application, but it does not meet the SQL analytics and visualization requirements described.

Incorrect for “least effort.” Amazon Redshift can query large datasets and supports BI dashboards, but it typically requires more setup: provisioning/operating a cluster (or configuring Redshift Serverless), designing schemas, and often loading/transforming data (COPY/ETL) for best performance. For hourly CSV files already in S3 and ad hoc queries, Athena is simpler and more serverless.

Incorrect. Amazon DynamoDB is a NoSQL key-value/document database and is not a native metastore for Athena/Presto-style SQL querying. Using DynamoDB to store schema/partition metadata would require building and maintaining custom logic to keep it synchronized and would not integrate seamlessly with Athena and QuickSight the way the Glue Data Catalog does.

CloudTrail + Athena is primarily a log analytics approach and is not a strong near-real-time compliance control. Athena queries are typically scheduled/batch and don’t guarantee notification within 5 minutes unless you build additional orchestration. It also doesn’t prevent developers from making snapshots public; it only detects attempts/events after the fact. Remediation via Lambda is possible, but this option is weaker and more complex than Config + explicit deny guardrails.

Removing the permission by simply “not granting” it is not a durable guardrail; future policy changes could accidentally add it back, and other principals might still have it. A Lambda scheduled every 5 minutes is polling-based, adds operational overhead, and can miss changes between runs or fail silently. AWS Config is purpose-built for continuous compliance and integrates cleanly with alerting, making this option inferior.

RDS DB snapshots do not have IAM roles attached, so the premise is incorrect. IAM permissions are attached to principals (users/roles), not to snapshots as resource-attached roles. While AWS Config can check for public snapshots, the described mechanism (verifying snapshots have roles with deny statements) is not feasible. This option reflects a misunderstanding of IAM’s permission model and how RDS snapshots are controlled.