Amazon Web Services DOP-C02 Exam With Confidence Using Practice Dumps

Container restart failures require detailed observability into pod-level, node-level, and container-level metrics and logs. CloudWatch Container Insights is purpose-built for Kubernetes operational diagnostics and provides granular visibility into CPU, memory, network I/O, disk I/O, container restarts, OOM kills, throttling, pod lifecycle issues, and Kubernetes control plane behaviors.

The CloudWatch Observability add-on deploys Fluent Bit and the CloudWatch Agent directly into the EKS cluster as DaemonSets. These components automatically collect:

Container logs

Pod metrics

Node metrics

Cluster events

OOM errors

CrashLoopBackOff restart cycles

Control plane request anomalies

With this data, the DevOps engineer can easily identify misconfigurations, resource bottlenecks, unhealthy nodes, failing containers, or image pull issues.

Option A (dashboards only) lacks per-container diagnostic data.

Option B (CloudTrail) only logs API calls — not useful for restart debugging.

Option C (CloudTrail Insights) only detects anomalous API usage, not container failures.

Therefore, CloudWatch Container Insights is the correct and AWS-recommended solution for diagnosing container restart failures in EKS.

The question focuses on detecting supply chain attacks that bypass CI/CD controls and result in malicious runtime behavior in the deployed serverless application. This requires runtime threat detection , not just static scanning or infrastructure validation.

Amazon GuardDuty is AWS’s managed threat detection service. GuardDuty now includes Lambda Protection , which analyzes Lambda function behavior, including network calls, IAM API usage, and other signals to detect compromised functions, crypto-mining, data exfiltration, and other malicious activity. GuardDuty automatically ingests CloudTrail, VPC Flow Logs (if enabled), and other telemetry without requiring code changes or agents. Findings are published and can be routed to Amazon EventBridge for near real-time notifications or automated remediation.

Option A (AWS WAF) only inspects HTTP requests to API Gateway and is focused on known bad patterns, not deeper behavioral anomalies. Option C (CloudFormation Guard) is focused on infrastructure-as-code validation in the pipeline, which explicitly does not help once malicious code is deployed. Option D (Network Firewall with Emerging Threats rules) protects VPC traffic, but serverless components like Lambda and API Gateway may not all traverse that firewall, and it is not targeted at function-level behavior.

Hence, enabling GuardDuty with Lambda Protection and using EventBridge notifications is the correct solution.

AWS Control Tower provides an integrated governance framework that combines both preventive controls, implemented as Service Control Policies at the OU level, and detective controls, implemented as AWS Config rules applied across all enrolled accounts. Control Tower automatically applies these guardrails to all accounts in enrolled OUs. When new accounts are provisioned through Account Factory, they are automatically enrolled in the assigned OU and receive all applicable preventive and detective controls immediately without manual intervention. Option A uses only SCPs, covering only preventive controls without built-in detective capabilities. Option C requires manually updating stack sets when new accounts are created and does not provide preventive controls via SCPs. Option D provides only detective controls through Config rules with no preventive guardrails. Control Tower is the only option that natively handles both control types and automatically governs newly created accounts.

================