DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The requirements demand very low data loss (RPO < 1 minute) and fast recovery (RTO < 10 minutes) across Regions . Snapshot/backup-based approaches (B, D) generally cannot meet an RPO under 1 minute (and restoring snapshots/backups typically pushes RTO higher than 10 minutes for many real-world DB sizes and restore times).

Option A is the only choice that is explicitly built around near-real-time replication to another Region (cross-Region replica) and an operational pattern to promote the standby and update Route 53 to redirect applications quickly during failover.

Multi-AZ addresses in-Region high availability , while the cross-Region replica + promotion addresses cross-Region DR with low RPO and acceptable RTO when automated.

Why the others don’t meet the stated RPO/RTO:

B : Copying snapshots every 5 minutes immediately violates RPO < 1 minute .

C : DMS replication could potentially be low-latency, but the option only mentions notifications (no automated failover/redirect) and does not provide the clearest/most direct managed HA+DR pattern for the required RTO < 10 minutes .

D : “Cross-Region backups every 30 seconds ” is not a standard practical backup cadence for AWS Backup with RDS, and restore-based DR still tends to miss the RTO/RPO targets compared with replica promotion.

The requirement is to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege, which means granting the minimum permissions necessary to perform a task.

To do this, the DevOps engineer needs to use the following steps:

Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function’s execution role to decrypt. A customer managed key is a symmetric encryption key that is fully managed by the customer. The customer can define the key policy, which specifies who can use and manage the key. By creating a customer managed key, the DevOps engineer can restrict the decryption permission to only the Lambda function’s execution role, and prevent other principals from accessing the secret values. The customer managed key also needs to trust Secrets Manager, which means allowing Secrets Manager to use the key to encrypt and decrypt secrets on behalf of the customer.

Update Secrets Manager to use the new customer managed key. Secrets Manager allows customers to choose which KMS key to use for encrypting each secret. By default, Secrets Manager uses the default KMS key for Secrets Manager, which is a service-managed key that is shared by all customers in the same AWS Region. By updating Secrets Manager to use the new customer managed key, the DevOps engineer can ensure that only the Lambda function’s execution role can decrypt the secret values using that key.

Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. The Lambda function’s execution role is an IAM role that grants permissions to the Lambda function to access AWS services and resources. The role needs to have KMS permissions to use the customer managed key for decryption. However, to apply the principle of least privilege, the role should have the permissions scoped on the resource level, which means specifying the ARN of the customer managed key as a condition in the IAM policy statement. This way, the role can only use that specific key and not any other KMS keys in the account.