Amazon Web Services Updated DOP-C02 Exam Questions and Answers by mary

Failed interactive logins such as ConsoleLogin are part of CloudTrail management events , not data events. The most direct, low-overhead design is to stream management events to CloudWatch Logs , then create a metric filter that matches failed ConsoleLogin events (for example, $.eventName = " ConsoleLogin " and $.responseElements.ConsoleLogin = " Failure " or $.errorMessage ). That metric is then used as the basis for a CloudWatch alarm . When the alarm threshold (e.g., N failures in a period) is breached, the alarm triggers and sends a notification to the already created SNS topic, which alerts the security team.

Option A follows this recommended pattern: CloudTrail → CloudWatch Logs → Metric Filter → Alarm → SNS. It is fully managed, near real-time, and requires minimal custom logic.

Option B uses Athena with EventBridge to periodically query CloudTrail logs in S3. This introduces more moving parts, more configuration, higher latency, and more operational overhead.

Options C and D incorrectly reference CloudTrail data events and S3 event notifications, which are not the right mechanisms to detect ConsoleLogin failures. Console logins are not S3 events, and using data events would miss these management actions.

Therefore, Option A is the correct and simplest solution.

To restore the functionality of the Auto Scaling group after the AMI was deleted, the DevOps engineer needs to create a new AMI and update the Auto Scaling group to use it. The DevOps engineer can create a new AMI by copying the most recent public AMI of the operating system that the EC2 instances use. This will ensure that the new AMI has the same operating system as the custom AMI that was deleted. The DevOps engineer can then create a new launch template that uses the new AMI and update the Auto Scaling group to use the new launch template. This will allow the Auto Scaling group to launch new instances with the new AMI.

Exporting logs using CloudWatch subscription filters + Firehose → S3 enables long-term archival. S3 lifecycle transitions optimize cost with Standard-IA (low-latency) and Deep Archive (long-term retention). This matches AWS best practice for cost-effective log retention.

The requirements describe a classic attribute-based access control (ABAC) model using AWS IAM. The company already has consistent tagging across users and resources, which is ideal for ABAC and least-privilege enforcement at scale.

First, Option A is required because IAM roles should represent job functions (developer vs. database administrator) and be scoped per project. Creating separate roles per project and job function allows permissions to be isolated cleanly and prevents cross-project access.

Second, Option B enforces project-level isolation at the policy level . By modifying the existing job-function policies to include a StringEquals condition that compares aws:ResourceTag/Project with aws:PrincipalTag/Project, access is automatically limited to only those resources that belong to the same project as the user. This is an AWS-recommended ABAC pattern and avoids policy sprawl.

Third, Option C is required so users can assume roles only when their tags match the role’s tags . An IAM policy attached to users that allows sts:AssumeRole only if both project and job function tags match ensures users cannot assume roles outside their assigned scope.

Options D, E, and F either misapply policies to the wrong entities, misuse tagging on policies (which IAM does not evaluate for authorization), or introduce unnecessary group-based management that conflicts with the ABAC design.

Therefore, A, B, and C together provide least privilege, project isolation, and scalable access control with minimal ongoing administration.