Amazon Web Services DOP-C02 Exam With Confidence Using Practice Dumps

Option A is incorrect because EventBridge rules cannot filter events based on the message body or attributes of the target service. Therefore, configuring an SNS subscription filter policy to match the CloudFormation stack will not work. The SNS topic will receive all events from the EventBridge rule, regardless of the stack name or drift status.

Option B is incorrect because it introduces unnecessary complexity and cost. Creating a second Lambda function to query the CloudFormation API for the drift detection results is redundant, since CloudFormation already publishes drift detection events to EventBridge. Moreover, invoking two Lambda functions every hour will incur more charges than invoking one.

Option C is incorrect because GuardDuty does not provide drift detection for CloudFormation stacks. GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It does not monitor or report on configuration changes or drifts in CloudFormation stacks.

Option D is correct because it leverages AWS Config and its managed rule for drift detection. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It can detect configuration changes and drifts in CloudFormation stacks using the cloudformation-stack-drift-detection-check managed rule. This rule triggers an AWS Config event when a stack drifts from its expected template configuration. By creating a second EventBridge rule that reacts to this event for the specific stack, the DevOps engineer can configure the SNS topic as a target and receive a notification as soon as possible when drift is detected.

Option A is the most correct because it provides both: (1) automated patching and (2) compliance monitoring/enforcement across a fleet, using AWS-native services built for exactly this purpose.

AWS Systems Manager Patch Manager is designed to automate patching of managed instances using patch baselines, maintenance windows (or on-demand), and it produces compliance status for patching. It’s the standard AWS service to apply OS/security patches at scale without SSH’ing into instances.

AWS Config can be used to evaluate and track compliance over time against defined rules, giving centralized visibility and continuous compliance assessment. With remediation, Config can invoke Systems Manager Automation documents to correct non-compliant resources or trigger patch actions (depending on the rule/remediation design). This meets the “monitor and enforce” requirement.

Why the other options don’t meet requirements as well:

B is manual, doesn’t scale well, and increases operational risk (key management, human error). It’s not “automated monitoring and enforcement.”

C (replacing instances with new AMIs) can be part of an immutable infrastructure strategy, but by itself it does not provide compliance monitoring across the current fleet, and scaling policies based on CloudWatch metrics are unrelated to patch compliance. Also, patch cadence would depend on AMI pipelines and instance rotation rather than direct compliance enforcement.

D is operationally heavy and mismatched: CloudTrail records API activity; it does not natively provide “patch compliance” status for instance OS packages. Recreating instances via CloudFormation for every patch is not an efficient or standard enforcement mechanism for patch compliance.

ECR Lifecycle Policies automatically manage image retention based on tag status, age, or count. They execute natively within the ECR service, requiring no external management or scripts — the least overhead and AWS-recommended cleanup method.