Amazon Web Services Updated DOP-C02 Exam Questions and Answers by hari

Creating an AWS CodeCommit repository for each project, using the main branch for production code, and creating a testing branch for code deployed to testing will meet the requirements. AWS CodeCommit is a managed revision control service that hosts Git repositories and works with all Git-based tools1. By using feature branches to develop new features and pull requests to merge code to testing and main branches, the developers can avoid code conflicts and lost work, and also implement code reviews and approvals. Option B is incorrect because creating another S3 bucket for each project for testing code and using an AWS Lambda function to promote code changes between testing and production buckets will not provide the benefits of revision control, such as tracking changes, branching, merging, and collaborating. Option C is incorrect because using the main branch for production and test code with different deployment pipelines for each environment will not allow the developers to test their code changes before deploying them to production. Option D is incorrect because enabling versioning and branching on each S3 bucket will not work with Git-based tools and will not provide the same level of revision control as AWS CodeCommit. References:

AWS CodeCommit

Certified DevOps Engineer - Professional (DOP-C02) Study Guide (page 182)

The question focuses on detecting supply chain attacks that bypass CI/CD controls and result in malicious runtime behavior in the deployed serverless application. This requires runtime threat detection , not just static scanning or infrastructure validation.

Amazon GuardDuty is AWS’s managed threat detection service. GuardDuty now includes Lambda Protection , which analyzes Lambda function behavior, including network calls, IAM API usage, and other signals to detect compromised functions, crypto-mining, data exfiltration, and other malicious activity. GuardDuty automatically ingests CloudTrail, VPC Flow Logs (if enabled), and other telemetry without requiring code changes or agents. Findings are published and can be routed to Amazon EventBridge for near real-time notifications or automated remediation.

Option A (AWS WAF) only inspects HTTP requests to API Gateway and is focused on known bad patterns, not deeper behavioral anomalies. Option C (CloudFormation Guard) is focused on infrastructure-as-code validation in the pipeline, which explicitly does not help once malicious code is deployed. Option D (Network Firewall with Emerging Threats rules) protects VPC traffic, but serverless components like Lambda and API Gateway may not all traverse that firewall, and it is not targeted at function-level behavior.

Hence, enabling GuardDuty with Lambda Protection and using EventBridge notifications is the correct solution.

 Step 1: Attaching the CloudWatchAgentServerPolicy to the IAM Role

The CloudWatch agent needs permissions to collect and send metrics, including memory metrics, to Amazon CloudWatch. You can attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM instance profile or service account role to grant these permissions.

Action: Attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM instance profile that the EKS cluster uses.

Why: This ensures the CloudWatch agent has the necessary permissions to collect memory metrics.