DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Step 1: Sending AWS WAF Logs to CloudWatch LogsAWS WAF allows you to log requests that are evaluated against your web ACLs. These logs can be sent directly to CloudWatch Logs, which enables real-time monitoring and analysis.

Action: Configure the AWS WAF web ACL to send log messages to a CloudWatch Logs log group.

Why: This allows the operations team to view the logs in real time and analyze patterns using CloudWatch metric filters.

The best solution to log and review all stopped tasks for errors is to use Amazon EventBridge and Amazon CloudWatch Logs. Amazon EventBridge allows the DevOps engineer to create a rule that matches task state change events from Amazon ECS. The rule can then send the event data to Amazon CloudWatch Logs as the target. Amazon CloudWatch Logs can store and monitor the log data, and also provide CloudWatch Logs Insights, a feature that enables the DevOps engineer to interactively search and analyze the log data. Using CloudWatch Logs Insights, the DevOps engineer can filter and aggregate the log data based on various fields, such as cluster, task, container, and reason. This way, the DevOps engineer can easily identify and investigate the stopped tasks and their errors.

The other options are not as effective or efficient as the solution in option A. Option B is not suitable because the embedded metric format is designed for custom metrics, not for logging task state changes. Option C is not feasible because the EC2 instances do not store the task state change events in their logs. Option D is not relevant because the EC2_INSTANCE_TERMINATING lifecycle hook is triggered when an EC2 instance is terminated by the Auto Scaling group, not when a task is stopped by Amazon ECS.

Creating a CloudWatch Events Rule That Triggers on an Event - Amazon Elastic Container Service

Sending and Receiving Events Between AWS Accounts - Amazon EventBridge

Working with Log Data - Amazon CloudWatch Logs

Analyzing Log Data with CloudWatch Logs Insights - Amazon CloudWatch Logs

Embedded Metric Format - Amazon CloudWatch

Amazon EC2 Auto Scaling Lifecycle Hooks - Amazon EC2 Auto Scaling

Comprehensive & Detailed Explanation (150–250 words):

Amazon GuardDuty provides built-in, fully managed threat detection for AWS accounts and workloads, including automatic detection of cryptocurrency mining activity, compromised EC2 instances, command-and-control traffic patterns, and anomalous behaviors. GuardDuty includes multiple threat identifiers such as EC2:CryptoCurrencyActivity.BitcoinToolDetected and EC2:UnauthorizedAccess.CryptoMining. Because this capability is native and requires no custom detection logic, it provides the lowest development and operational overhead compared to alternatives.

When GuardDuty generates a finding, it publishes the event automatically to Amazon EventBridge. The DevOps engineer can create an EventBridge rule that matches the specific mining-related finding types. The target of the rule is an AWS Lambda function that parses instance details from the finding and calls TerminateInstances on the affected EC2 instance.

This enables real-time automated remediation without needing recurring scans, log parsing, or complex data queries.

Options A and B require building custom detection pipelines and maintaining periodic Lambda polling, increasing long-term complexity. Option D (Security Hub) aggregates findings but still relies on GuardDuty for detection, adding unnecessary overhead.

Therefore, GuardDuty + EventBridge + Lambda termination is the easiest, quickest, and most AWS-recommended solution following incident-response best practices.