Amazon Web Services DOP-C02 Exam With Confidence Using Practice Dumps

The requirement is to deploy a stateless application with multi-Region fault tolerance , ensuring high availability even if an entire AWS Region becomes unavailable. For this design, traffic must be actively served from both Regions, not only during a failure event.

Option C correctly implements an active-active, multi-Region architecture . By deploying the application to both EKS clusters , each Region is capable of serving traffic independently. Using Amazon Route 53 weighted routing , traffic is distributed across both Application Load Balancers, allowing both Regions to handle requests simultaneously. If one Region becomes unhealthy, Route 53 health checks can stop routing traffic to that Region, maintaining availability.

Implementing Kubernetes readiness and liveness probes ensures that traffic is only sent to healthy pods within each cluster. This provides fault tolerance at both the container level (pod health) and the Regional level (Route 53 routing).

Option A uses a failover routing policy, which results in an active-passive design. While fault tolerant, it does not utilize both Regions simultaneously and provides slower recovery during Region failure. Options B and D deploy the application only in the primary Region, which does not meet multi-Region fault tolerance requirements.

Therefore, Option C delivers the most resilient, highly available, and AWS-recommended architecture for a stateless, multi-Region EKS application.

This is a classic AWS Organizations governance design:

Restrict Regions and allowed services across all accounts

The correct Organizations mechanism for account-wide guardrails is a Service Control Policy (SCP) .

SCPs set the maximum permissions that accounts/OUs can use, making them the right tool to enforce “only these Regions” and “only these services” consistently across the org.

Authentication from Active Directory + consistent job-function roles in every account

With AD as the identity source, the standard approach is federation to AWS using an IAM identity provider (SAML) and role assumption based on job function.

AWS CloudFormation StackSets is the operationally efficient way to deploy identical IAM roles/policies into multiple accounts/OUs so job-function permissions are consistent everywhere.

The roles’ trust policies can be configured to allow federated identities (from the AD-backed IdP) to assume the correct job role in each account.

Why the other options don’t fit:

A “OU with group policies” isn’t an AWS Organizations control mechanism for restricting Regions/services. The AWS-native control for this is SCPs , not “group policies.”

B Permissions boundaries are useful to limit what an IAM principal/role can do within an account , but they are not the org-wide enforcement mechanism for “all accounts must stay in these Regions / use only these services.” That’s what SCPs do.

C AWS RAM is for sharing resources (like subnets, Transit Gateway, etc.), not for “sharing roles” across accounts as a governance baseline. Also, the question emphasizes identical permissions in each account, which is best achieved by provisioning roles in each account (StackSets), not attempting to “share” roles.