DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Comprehensive and Detailed Explanation From Exact Extract:

Amazon CloudWatch Logs now supports data protection policies that can mask sensitive data in logs at ingestion time using custom data identifiers. By creating a custom data identifier matching the employee ID pattern (Emp-\d{6}), the administrator can mask those patterns in new log entries automatically.

Assigning an IAM policy that denies the logs:Unmask action to engineers prevents them from seeing unmasked sensitive data, enforcing least privilege access.

This approach is operationally efficient because it uses built-in CloudWatch Logs data protection capabilities without the need for complex custom code or manual log filtering.

Option C requires writing and managing Lambda functions for log transformation, increasing operational overhead. Option D is more complex and reactive rather than preventing the sensitive data exposure. Option B incorrectly references NotAction and managed identifiers that may not match the custom pattern.

Step 1: Storing Docker Images in Amazon ECRDocker images can be large, and storing them in a centralized, scalable location can greatly reduce build times. Amazon Elastic Container Registry (ECR) is a fully managed container registry that stores, manages, and deploys Docker container images.

Action: Store the Docker images in an ECR repository.

Why: Storing Docker images in ECR ensures that Docker images can be reused across multiple builds, improving build performance by avoiding the need to rebuild the images from scratch.

The company’s primary goals are to produce daily builds, publish artifacts to an Amazon S3–hosted website, and do so with the least operational overhead. Because the source repository is public and builds are produced on a fixed daily schedule, there is no requirement for complex multi-stage orchestration or manual pipeline invocations.

Option B provides the most streamlined and AWS-recommended solution. By using AWS CodeBuild directly with the public repository as the source, the company eliminates the need to manage an AWS CodePipeline altogether. CodeBuild can natively compile the project and publish build artifacts directly to an Amazon S3 bucket through its artifacts configuration. This minimizes service dependencies and operational complexity.

Using an Amazon EventBridge scheduled rule to trigger the CodeBuild project daily ensures builds occur automatically without manual intervention. Enabling artifact encryption is the AWS best practice, even for public artifacts, because encryption at rest does not prevent public read access when bucket policies allow it.

Option A relies on webhooks and push-based triggers, which do not meet the “build every day” requirement and introduce unnecessary coupling to repository activity. Options C and D retain CodePipeline, which adds extra configuration and maintenance overhead without providing additional value for this simple build-and-publish workflow.

Therefore, Option B meets all requirements with the least operational effort while following AWS-recommended CI/CD design principles.