DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Mutual TLS (mTLS) authentication requires two-way authentication between the client and the server. For Amazon API Gateway, you can enable mTLS for a custom domain name, which requires clients to present X.509 certificates to verify their identity to access your API. To set up mTLS, you would typically use AWS Certificate Manager (ACM) to create a private certificate authority (CA) and provision a client certificate signed by this private CA. The root CA certificate is then uploaded to an Amazon S3 bucket and configured in API Gateway as the trust store12.

Introducing mutual TLS authentication for Amazon API Gateway1.

Configuring mutual TLS authentication for a REST API2.

AWS Private Certificate Authority details3.

AWS Certificate Manager Private Certificate Authority updates4.

The requirement is not just to perform a one-time upgrade, but to ensure that Kubernetes and related components stay continuously within the AWS standard support window, with minimal ongoing effort. EKS Auto Mode is designed to reduce operational burden by managing cluster infrastructure, including control plane and data plane lifecycle, in a more automated fashion. When EKS Auto Mode is enabled and existing managed node groups are removed, EKS can manage compute capacity and associated upgrades in a more integrated, hands-off way, tracking supported versions automatically.

Option A (aws eks update-cluster-version) and Option C (eksctl upgrade) are both manual upgrade mechanisms. They can update clusters to a specific version but do not continuously ensure future upgrades as new supported versions are released; they require the DevOps team to schedule and execute each upgrade. Option D (IaC refactor) is generally a good practice but does not inherently provide automatic version lifecycle management; it also introduces significant upfront effort compared to enabling Auto Mode.

Thus, enabling EKS Auto Mode and deprecating manual managed node groups provides the least operational overhead for staying within the EKS-supported version schedule.

To meet the requirements of failover and disaster recovery, the company should use the following deployment strategies:

Create an Amazon Aurora global database in two AWS Regions as the data store. In the event of a failure, promote the secondary Region to the primary for the application. Update the application to use the Aurora cluster endpoint in the secondary Region. This strategy can provide a low RPO and RTO for the data, as Aurora global database replicates data with minimal latency across Regions and allows fast and easy failover12. The company can use the Amazon Aurora cluster endpoint to connect to the current primary DB cluster without needing to change any application code1.

Set up the application in two AWS Regions. Configure AWS Global Accelerator to point to Application Load Balancers (ALBs) in both Regions. Add both ALBs to a single endpoint group. Use health checks and Auto Scaling groups in each Region. This strategy can provide high availability and performance for the application, as AWS Global Accelerator uses the AWS global network to route traffic to the closest healthy endpoint3. The company can also use static IP addresses that are assigned by Global Accelerator as a fixed entry point for their application1. By using health checks and Auto Scaling groups, the company can ensure that their application can scale up or down based on demand and handle any instance failures4.

The other options are incorrect because:

Creating an Amazon Aurora Single-AZ cluster in multiple AWS Regions as the data store would not provide a fast failover or disaster recovery solution, as the company would need to manually restore data from backups or snapshots in another Region in case of a failure.

Creating an Amazon Aurora cluster in multiple AWS Regions as the data store and using a Network Load Balancer to balance the database traffic in different Regions would not work, as Network Load Balancers do not support cross-Region routing. Moreover, this strategy would not provide a consistent view of the data across Regions, as Aurora clusters do not replicate data automatically between Regions unless they are part of a global database.

Setting up the application in two AWS Regions and using Amazon Route 53 failover routing that points to Application Load Balancers in both Regions would not provide a low RTO, as Route 53 failover routing relies on DNS resolution, which can take time to propagate changes across different DNS servers and clients. Moreover, this strategy would not provide deterministic routing, as Route 53 failover routing depends on DNS caching behavior, which can vary depending on different factors.