Amazon Web Services DOP-C02 Exam With Confidence Using Practice Dumps

The following are the steps that the company can take to change the log level dynamically when the deployment occurs:

Create a script that uses the CodeDeploy environment variable DEPLOYMENT_GROUP_NAME to identify which deployment group the instance is part of.

Use this information to configure the log level settings.

Reference this script as part of the BeforeInstall lifecycle hook in the appspec.yml file.

The DEPLOYMENT_GROUP_NAME environment variable is automatically set by CodeDeploy when the deployment is triggered. This means that the script does not need to call the metadata service or the EC2 API to identify the deployment group.

This solution is the least complex and requires the least management overhead. It also does not require different script versions for each deployment group.

The following are the reasons why the other options are not correct:

Option A is incorrect because it would require tagging the Amazon EC2 instances, which would be a manual and time-consuming process.

Option C is incorrect because it would require creating a custom environment variable for each environment. This would be a complex and error-prone process.

Option D is incorrect because it would use the DEPLOYMENT_GROUP_ID environment variable. However, this variable is not automatically set by CodeDeploy, so the script would need to call the metadata service or the EC2 API to get the deployment group ID. This would add complexity and overhead to the solution.

The company’s requirements span preventive governance, account baseline configuration, and continuous compliance monitoring, all with minimal operational overhead. AWS-native, organization-level services are the most efficient way to meet these goals.

To ensure that new accounts do not retain default VPCs and that development is restricted to specific Regions, AWS Control Tower is the correct foundation. However, Control Tower alone does not remove default VPCs. By installing Customizations for AWS Control Tower (CfCT), the company can automatically deploy OU-scoped CloudFormation templates during account provisioning. A simple CloudFormation template can delete default VPCs in all Regions, while Control Tower-managed Region deny guardrails (SCPs) restrict access to only approved Regions. This approach is declarative, repeatable, and tightly integrated with account creation workflows, resulting in low operational overhead.

For CIS AWS Foundations Benchmark compliance monitoring, AWS Security Hub is the purpose-built service. Enabling Security Hub at the organization level and selecting the CIS benchmark automatically evaluates all member accounts against CIS controls and continuously reports findings. This provides centralized visibility and compliance reporting without custom rule development.

Option C introduces custom Lambda automation and EventBridge logic, increasing maintenance burden. Option E is incorrect because Control Tower does not provide full CIS benchmark monitoring; it only offers related detective guardrails.

Therefore, Option B (Control Tower + CfCT) and Option D (Security Hub with CIS benchmark) together provide the most efficient, scalable, and AWS-recommended solution.

The correct answer is C.

Option A is incorrect because creating a new SCP that has two statements, one that allows access to the new range of IP addresses for all the S3 buckets and one that denies access to the old range of IP addresses for all the S3 buckets, is not a valid solution. SCPs are not resource-based policies, and they cannot specify the S3 buckets or the IP addresses as resources or conditions. SCPs can only control the actions that can be performed by the principals in the organization, not the access to specific resources. Moreover, setting a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets is not sufficient to revoke the permissions of the two OUs, as there might be other roles or users in those OUs that can still access the S3 buckets.

Option B is incorrect because creating a new SCP that has a statement that allows only the new range of IP addresses to access the S3 buckets is not a valid solution, for the same reason as option A. SCPs are not resource-based policies, and they cannot specify the S3 buckets or the IP addresses as resources or conditions. Creating another SCP that denies access to the S3 buckets and attaching it to the two OUs is also not a valid solution, as SCPs cannot specify the S3 buckets as resources either.

Option C is correct because it meets both requirements of changing the range of IP addresses that have permission to access the contents of the S3 buckets and revoking the permissions of two OUs in the company. On all the S3 buckets, configuring resource-based policies that allow only the new range of IP addresses to access the S3 buckets is a valid way to update the IP address ranges, as resource-based policies can specify both resources and conditions. Creating a new SCP that denies access to the S3 buckets and attaching it to the two OUs is also a valid way to revoke the permissions of those OUs, as SCPs can deny actions such as s3:PutObject or s3:GetObject on any resource.

Option D is incorrect because setting a permissions boundary for the OrganizationAccountAccessRole role in the two OUs to deny access to the S3 buckets is not sufficient to revoke the permissions of the two OUs, as there might be other roles or users in those OUs that can still access the S3 buckets. A permissions boundary is a policy that defines the maximum permissions that an IAM entity can have. However, it does not revoke any existing permissions that are granted by other policies.