DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

To restrict direct access to API Gateway, add a custom header in the CloudFront distribution origin request and use a Lambda authorizer in API Gateway to validate that header. Only requests routed through CloudFront will include this header. This is the AWS-recommended pattern in “Secure your APIs behind CloudFront using custom headers and Lambda authorizers.”

The company requires an organization-wide, centralized, and automated solution to detect sensitive data in Amazon S3, aggregate findings in one location, and quarantine affected objects with minimal operational overhead. AWS provides a native service specifically designed for this purpose: Amazon Macie.

Option A is essential because Amazon Macie automatically discovers and classifies sensitive data such as PII in S3 buckets using managed machine learning models. When enabled at the organization level, Macie scans buckets across all accounts and Regions. Integrating Macie with AWS Security Hub centralizes all findings in a single dashboard, allowing the company’s security officer to review and manage sensitive data alerts across the organization without building custom aggregation pipelines.

Detection alone is not sufficient; remediation is also required. Option C completes the solution by using Amazon EventBridge, which natively receives Macie findings in near real time. An EventBridge rule can trigger a Lambda function whenever Macie identifies sensitive data. The Lambda function can then copy the affected object to a quarantine S3 bucket and delete the original object, meeting the remediation requirement automatically and consistently.

Option D requires custom sensitive data detection logic, which is complex, error-prone, and unnecessary given Macie’s capabilities. Option E is invalid because SCPs cannot inspect or move data. Option B does not detect sensitive information.

Therefore, A and C together provide the most efficient, scalable, and AWS-recommended solution.

Use routing configuration on an alias to send a portion of traffic to a second function version. For example, you can reduce the risk of deploying a new version by configuring the alias to send most of the traffic to the existing version, and only a small percentage of traffic to the new version.

The following are the steps involved in the deploy stage configuration that will meet the requirements:

Use AWS CodeBuild to add sample event payloads for testing to the Lambda functions.

Publish a new version of the functions, and include Amazon CloudWatch alarms.

Update the production alias to point to the new version.

Configure rollbacks to occur when an alarm is in the ALARM state.

This configuration will help to reduce the customer impact of an unsuccessful deployment by deploying the new version of the functions to a staging environment first. This will allow the DevOps engineer to test the new version of the functions before deploying it to production.

The configuration will also help to monitor for issues by including Amazon CloudWatch alarms. These alarms will alert the DevOps engineer if there are any problems with the new version of the functions.