DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

Use CodePipeline with a Git source to orchestrate the flow, CodeBuild to produce versioned artifacts in S3, and CodeDeploy to EC2 with lifecycle hooks (e.g., BeforeInstall) to run cache-clearing and unpack steps. This gives end-to-end visibility, rollbacks, and standardized deployments.

The requirements clearly indicate the need for modern CodePipeline capabilities, strict execution ordering, Git tag–based triggers, and loose coupling between pipelines. CodePipeline V2 introduces execution modes such as QUEUED and SUPERSEDED, along with native support for advanced trigger filtering when using AWS CodeConnections.

The requirement that the pipeline must wait for the previous run to finish directly maps to QUEUED mode, which ensures that pipeline executions run sequentially rather than replacing in-progress executions. SUPERSEDED mode would cancel the running execution, which violates the requirement.

Triggering the pipeline when new Git tags are pushed is supported through CodePipeline V2 trigger filters using refs/tags/*. Branch-based triggers would not satisfy this condition.

Finally, the requirement that an existing deployment pipeline runs in response to new container images is best met using Amazon EventBridge, which natively emits events for ECR image push actions. EventBridge allows decoupled, event-driven orchestration between pipelines without tight dependencies or custom scripting. This is the AWS-recommended approach for pipeline-to-pipeline coordination.

Options C and D rely on CodePipeline V1, which lacks modern trigger filtering and execution control. Option B incorrectly uses SUPERSEDED mode and branch-based triggers.

Therefore, Option A correctly combines CodePipeline V2, QUEUED execution mode, tag-based triggers, and EventBridge-driven pipeline chaining, meeting all requirements with best practices and minimal operational complexity.

The question emphasizes “MOST securely” and involves a multi-account backup strategy with a centralized backup account. AWS Backup best practice for high-security environments is to use customer managed KMS keys for encrypting backup vaults rather than AWS managed keys. Customer managed keys provide tighter control over key lifecycle, key policies, and cross-account access.

Option A creates encrypted backup vaults in both the source and centralized accounts, each protected by a customer managed KMS key in that account. AWS Backup is then configured to create full EC2 backups (AMIs) and copy them to the centralized backup vault. This design ensures:

Encryption at rest in both accounts.

Independent key control and policies per account.

Secure cross-account backup copy behavior governed by explicit KMS key grants and vault access policies.

Option B incorrectly uses the source account’s KMS key to encrypt vaults in both accounts, which is not the recommended pattern; each account should manage its own CMK. Options C and D rely partially or fully on AWS managed keys, which are less appropriate when the requirement explicitly stresses maximum security and control.

Therefore, Option A best satisfies both the RPO/RTO goals (daily AMI backups with rapid restore) and the strongest encryption posture.