Exactprep DOP-C02 Questions

Installing the CloudWatch agent and instrumenting the application to push custom metrics to the agent is the easiest and lowest overhead method.

Prometheus (B) adds operational complexity.

Lambda polling (C) introduces unnecessary complexity and latency.

Using Logs Insights (D) requires extracting metrics from logs, which is less efficient.

The security team’s requirements emphasize governance, approval control, versioning, and automation with minimal operational overhead. AWS Control Tower natively supports guardrail enablement through the AWS::ControlTower::EnableControl CloudFormation resource, which can target entire organizational units. Managing these resources as CloudFormation templates stored in a Git repository provides built-in version control, change review, and rollback capabilities through standard Git workflows.

Option C implements a GitOps-style approach. Each guardrail is defined declaratively in CloudFormation, scoped at the OU level, ensuring consistent enforcement across all accounts in that OU. Storing the templates in a CodeConnections-compatible Git repository allows the security team to review, approve, and audit changes through pull requests. By configuring AWS CodePipeline in the security team’s account and triggering it automatically via an Amazon EventBridge rule on repository merges, only approved changes are deployed. This ensures that new guardrails are enabled only after explicit approval and that the deployment process is fully automated.

Option A lacks pipeline orchestration and approval workflows. Option B requires manual pipeline invocation and per-account configuration, increasing operational overhead. Option D relies on S3 as the source of truth, which lacks native version control and approval mechanisms compared to Git.

Therefore, Option C provides the most operationally efficient, secure, and auditable solution aligned with AWS Control Tower automation best practices.

The correct answer is C. Using AWS Config to identify and audit all EC2 instances based on their host placement configuration is the most efficient and scalable solution to ensure compliance with the software licensing requirement. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. By creating a custom AWS Config rule that triggers a Lambda function to verify host placement, the DevOps engineer can automate the process of checking whether the instances are running on EC2 Dedicated Hosts or not. The Lambda function can return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host, and the AWS Config report can provide a summary of the compliance status of the instances. This solution requires the least administrative overhead compared to the other options.

Option A is incorrect because using AWS Systems Manager Configuration Compliance to scan and build a database of noncompliant EC2 instances based on their host placement configuration is a more complex and costly solution than using AWS Config. AWS Systems Manager Configuration Compliance is a feature of AWS Systems Manager that enables you to scan your managed instances for patch compliance and configuration inconsistencies. To use this feature, the DevOps engineer would need to install the Systems Manager Agent on each EC2 instance, create a State Manager association to run the put-compliance-items API action periodically, and use a DynamoDB table to store the instance IDs of noncompliant resources. This solution would also require more API calls and storage costs than using AWS Config.

Option B is incorrect because using custom Java code running on an EC2 instance to check and terminate noncompliant EC2 instances is a more cumbersome and error-prone solution than using AWS Config. This solution would require the DevOps engineer to write and maintain the Java code, set up EC2 Auto Scaling for the instance, use an SQS queue and another worker instance to process the instance IDs, use a Lambda function and an SNS topic to terminate and notify the noncompliant instances, and handle any potential failures or exceptions in the workflow. This solution would also incur more compute, storage, and messaging costs than using AWS Config.

Option D is incorrect because using AWS CloudTrail to identify and audit EC2 instances by analyzing the EC2 RunCommand API action is a less reliable and accurate solution than using AWS Config. AWS CloudTrail is a service that enables you to monitor and log the API activity in your AWS account. The EC2 RunCommand API action is used to execute commands on one or more EC2 instances. However, this API action does not necessarily indicate the host placement of the instance, and it may not capture all the instances that are running on EC2 Dedicated Hosts or not. Therefore, option D would not provide a comprehensive and consistent audit of the EC2 instances.

AWS Config can monitor compliance by checking EC2 software inventory. Custom Config rules can automatically trigger Systems Manager Automation documents as remediation actions when noncompliant (software missing). This meets policy enforcement goals with automation.