Amazon Web Services Updated DOP-C02 Exam Questions and Answers by rehmat

To meet the requirements of failover and disaster recovery, the company should use the following deployment strategies:

Create an Amazon Aurora global database in two AWS Regions as the data store. In the event of a failure, promote the secondary Region to the primary for the application. Update the application to use the Aurora cluster endpoint in the secondary Region. This strategy can provide a low RPO and RTO for the data, as Aurora global database replicates data with minimal latency across Regions and allows fast and easy failover12. The company can use the Amazon Aurora cluster endpoint to connect to the current primary DB cluster without needing to change any application code1.

Set up the application in two AWS Regions. Configure AWS Global Accelerator to point to Application Load Balancers (ALBs) in both Regions. Add both ALBs to a single endpoint group. Use health checks and Auto Scaling groups in each Region. This strategy can provide high availability and performance for the application, as AWS Global Accelerator uses the AWS global network to route traffic to the closest healthy endpoint3. The company can also use static IP addresses that are assigned by Global Accelerator as a fixed entry point for their application1. By using health checks and Auto Scaling groups, the company can ensure that their application can scale up or down based on demand and handle any instance failures4.

The other options are incorrect because:

Creating an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data store would not provide a fast failover or disaster recovery solution, as the company would need to manually restore data from backups or snapshots in another Region in case of a failure.

Creating an Amazon Aurora cluster in multiple AWS Regions as the data store and using a Network Load Balancer to balance the database traffic in different Regions would not work, as Network Load Balancers do not support cross-Region routing. Moreover, this strategy would not provide a consistent view of the data across Regions, as Aurora clusters do not replicate data automatically between Regions unless they are part of a global database.

Setting up the application in two AWS Regions and using Amazon Route 53 failover routing that points to Application Load Balancers in both Regions would not provide a low RTO, as Route 53 failover routing relies on DNS resolution, which can take time to propagate changes across different DNS servers and clients. Moreover, this strategy would not provide deterministic routing, as Route 53 failover routing depends on DNS caching behavior, which can vary depending on different factors.

Step 1: Using Native Git in CodeBuildTo meet the requirement of running unit tests and tagging the most recent commit if the tests pass, the CodeBuild project should be configured to use native Git to clone the CodeCommit repository. Native Git support allows full functionality for managing the repository, including the ability to create and push tags.

Action: Configure the CodeBuild project to use native Git to clone the repository and run the tests.

Why: Using native Git provides flexibility for managing tags and other repository operations after the tests are successfully executed.

Step 2: Tagging the Most Recent CommitOnce the unit tests pass, the CodeBuild project can use native Git to create a tag for the most recent commit and push that tag to the repository. This ensures that the tagged commit is linked to the test results.

Action: Configure the project to use native Git to create and push a tag to the repository if the tests pass.

Why: This ensures the correct commit is tagged automatically, streamlining the workflow.

The company requires an organization-wide, centralized, and automated solution to detect sensitive data in Amazon S3, aggregate findings in one location, and quarantine affected objects with minimal operational overhead. AWS provides a native service specifically designed for this purpose: Amazon Macie.

Option A is essential because Amazon Macie automatically discovers and classifies sensitive data such as PII in S3 buckets using managed machine learning models. When enabled at the organization level, Macie scans buckets across all accounts and Regions. Integrating Macie with AWS Security Hub centralizes all findings in a single dashboard, allowing the company’s security officer to review and manage sensitive data alerts across the organization without building custom aggregation pipelines.

Detection alone is not sufficient; remediation is also required. Option C completes the solution by using Amazon EventBridge, which natively receives Macie findings in near real time. An EventBridge rule can trigger a Lambda function whenever Macie identifies sensitive data. The Lambda function can then copy the affected object to a quarantine S3 bucket and delete the original object, meeting the remediation requirement automatically and consistently.

Option D requires custom sensitive data detection logic, which is complex, error-prone, and unnecessary given Macie’s capabilities. Option E is invalid because SCPs cannot inspect or move data. Option B does not detect sensitive information.

Therefore, A and C together provide the most efficient, scalable, and AWS-recommended solution.

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises. SSM parameter store and AWS Secret manager are both a secure option. However, Secrets manager is more flexible and has more options like password generation. Reference: https://www.1strategy.com/blog/2019/02/28/aws-parameter-store-vs-aws-secrets-manager/