DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The key requirement is to prevent non-approved EC2 instance types from being created at stack creation time , specifically when developers deploy AWS CloudFormation stacks. This is a pre-deployment enforcement requirement, not a detection or remediation requirement after resources already exist.

CloudFormation Guard Hooks are purpose-built for this use case. They allow organizations to define policy-as-code rules that validate CloudFormation templates before resources are created or updated. By writing a CloudFormation Guard rule that explicitly checks the InstanceType property against an approved allow list, the stack operation will fail immediately if a developer attempts to use a disallowed instance type. This enforces compliance early in the deployment lifecycle and avoids post-deployment cleanup.

Option B uses AWS Config, which only detects noncompliance after resources are created. Even with remediation, the instance would still be launched briefly, which violates the requirement. Option C uses an SCP, which applies broadly to all EC2 launches in the organization and is not limited to CloudFormation stacks; this is overly restrictive and could unintentionally block other valid use cases. Option A incorrectly combines Lambda with Guard Hooks—Guard Hooks natively evaluate Guard rules and do not invoke Lambda functions.

Therefore, using a CloudFormation Guard rule with a Guard Hook is the correct and AWS-recommended solution for enforcing approved EC2 instance types during CloudFormation deployments.

The requirement is to automatically apply different baseline CloudFormation templates based on OU placement when new AWS accounts are created, while keeping operational overhead as low as possible. Because the company is already using AWS Organizations and is planning a comprehensive account management strategy, the most AWS-native and efficient solution is AWS Control Tower with Customizations for AWS Control Tower (CfCT) .

CfCT is specifically designed to extend Control Tower’s baseline by allowing administrators to deploy OU-scoped CloudFormation templates automatically. The solution uses a manifest file to map CloudFormation templates to specific OUs, ensuring that each new account receives the correct baseline configuration immediately after provisioning. Templates and configuration are stored in a version-controlled Git repository, providing auditability, change tracking, and rollback capabilities.

Option B adds unnecessary operational complexity by introducing a custom CodePipeline that must be manually triggered and maintained. This duplicates functionality that CfCT already provides natively. Options C and D rely on custom Lambda logic and EventBridge rules, which increase maintenance burden, reduce transparency, and lack built-in OU-aware governance features.

AWS documentation explicitly recommends Customizations for AWS Control Tower for OU-based, scalable, and automated baseline deployments. Therefore, Option A delivers the required functionality with the least operational overhead and aligns with AWS best practices for multi-account governance.

To restrict direct access to API Gateway, add a custom header in the CloudFront distribution origin request and use a Lambda authorizer in API Gateway to validate that header. Only requests routed through CloudFront will include this header. This is the AWS-recommended pattern in “Secure your APIs behind CloudFront using custom headers and Lambda authorizers.”