DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Configure the Systems Manager Document to Use the aws-downloadContent Plugin with a sourceType of GitHub and sourcelnfo with the Repository Details:

The aws-downloadContent plugin can download content from various sources, including GitHub, which is necessary for bootstrapping the laptops with the code stored in the GitHub repository.

schemaVersion: '2.2'

description: "Download and run bootstrap script from GitHub"

mainSteps:

- action: aws:downloadContent

name: downloadBootstrapScript

inputs:

sourceType: GitHub

sourceInfo: '{"owner":"my-org","repository":"my-repo","path":"scripts/bootstrap.sh","getOptions":"branch:main"}'

destinationPath: /tmp/bootstrap.sh

- action: aws:runShellScript

name: runBootstrapScript

inputs:

runCommand:

- chmod +x /tmp/bootstrap.sh

- /tmp/bootstrap.sh

This setup ensures that the bootstrap code is downloaded from GitHub and executed on the laptops using Systems Manager.

Only the Organizations management account (or roles in that account) can call organizations:CreateAccount directly. When moving the Lambda function to a different (dedicated) account, the correct pattern is to perform cross-account role assumption into a role that resides in the management account and has tightly scoped Organizations permissions.

Option A describes exactly this:

Create an IAM role in the management account with only the required Organizations permissions (for example, organizations:CreateAccount and related read permissions).

Configure the trust policy on that role to allow it to be assumed by the Lambda execution role in the new account.

Update the Lambda code to call sts:AssumeRole into the management-account role before invoking the Organizations API.

This approach ensures that:

The Lambda function can create new accounts, but only via the management account.

The Lambda execution role in the dedicated account has no direct Organizations permissions; it only has permission to assume the specific role.

Option B is incorrect because “delegated administration for Organizations” in the generic sense is not how CreateAccount is exposed; account creation remains a management-account responsibility. Options C and D either misconfigure trust or introduce unnecessary Control Tower complexity. Cross-account assume-role from the dedicated account into the management account is the correct and least-privilege solution.

These solutions will meet the requirement because they will prevent the loss of notification messages in the future. An Amazon SQS queue is a service that provides a reliable, scalable, and secure message queue for asynchronous communication between distributed components. You can use an SQS queue to buffer messages from an SNS topic and ensure that they are delivered and processed by a Lambda function, even if the function or the database is temporarily unavailable.

Option C will configure an SQS dead-letter queue for the SNS topic. A dead-letter queue is a queue that receives messages that could not be delivered to any subscriber after a specified number of retries. You can use a dead-letter queue to store and analyze failed messages, or to reprocess them later. This way, you can avoid losing messages that could not be delivered to the Lambda function due to network errors, throttling, or other issues.

Option D will subscribe an SQS queue to the SNS topic and configure the Lambda function to process messages from the SQS queue. This will decouple the SNS topic from the Lambda function and provide more flexibility and control over the message delivery and processing. You can use an SQS queue to store messages from the SNS topic until they are ready to be processed by the Lambda function, and also to retry processing in case of failures. This way, you can avoid losing messages that could not be processed by the Lambda function due to database errors, timeouts, or other issues.