DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The requirement specifies enforcing encryption before CloudFormation creates or updates resources. This is key because preventive enforcement must occur during the provisioning workflow, not after resources already exist. AWS provides CloudFormation Hooks specifically for this purpose. A Hook allows an organization to intercept a CloudFormation stack operation and validate resource configurations before provisioning occurs. This feature is recommended by AWS for pre-deployment governance such as enforcing encryption policies, tag compliance, or security restrictions.

By enabling trusted access between CloudFormation StackSets and AWS Organizations, the Hook can be deployed centrally from the delegated administrator account across all accounts in the specified OU. Any attempt to create or update EBS volumes or SQS queues through CloudFormation is validated first by the Hook. If encryption is not configured, the operation fails immediately.

Option C (SCP) blocks API calls globally, but SCPs cannot perform conditional logic based on resource properties passed by CloudFormation prior to creation. Option B (AWS Config) detects violations after resources already exist, which does not satisfy “before stack operation.” Option D (Lambda remediation) also occurs after the resource is created.

Thus, CloudFormation Hooks distributed via StackSets provide the only solution that enforces compliance before the provisioning lifecycle

The current design colocates the web tier, database, and cache on the same EC2 instances. This causes resource contention and makes it difficult to scale each layer independently. The correct solution is to separate these concerns into independently scalable managed services.

Option D uses an Application Load Balancer (ALB) in front of an Auto Scaling group for the web application. ALB is designed for HTTP/HTTPS traffic, supports path-based and host-based routing, and can spread load evenly across multiple instances and Availability Zones, eliminating the issue where one instance is overloaded.

The database is migrated to Amazon Aurora with Multi-AZ , which provides high availability, automated failover, and managed backups. Aurora offloads database management and ensures consistent performance.

For caching, Option D introduces Amazon ElastiCache for Redis , a managed in-memory cache that is purpose-built for low-latency reads, independent scaling, and high availability through replication and clustering.

Option A and C misuse NLB for HTTP traffic or for Redis exposure and introduce unnecessary complexity. Option B keeps Redis on EC2 (via NLB + ASG in a single AZ), which reduces availability and does not leverage managed caching.

Thus, Option D best separates tiers and improves performance and availability.