DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The correct answer is C. Using AWS Config to identify and audit all EC2 instances based on their host placement configuration is the most efficient and scalable solution to ensure compliance with the software licensing requirement. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. By creating a custom AWS Config rule that triggers a Lambda function to verify host placement, the DevOps engineer can automate the process of checking whether the instances are running on EC2 Dedicated Hosts or not. The Lambda function can return a NON_COMPLIANT result if the instance is not running on an EC2 Dedicated Host, and the AWS Config report can provide a summary of the compliance status of the instances. This solution requires the least administrative overhead compared to the other options.

Option A is incorrect because using AWS Systems Manager Configuration Compliance to scan and build a database of noncompliant EC2 instances based on their host placement configuration is a more complex and costly solution than using AWS Config. AWS Systems Manager Configuration Compliance is a feature of AWS Systems Manager that enables you to scan your managed instances for patch compliance and configuration inconsistencies. To use this feature, the DevOps engineer would need to install the Systems Manager Agent on each EC2 instance, create a State Manager association to run the put-compliance-items API action periodically, and use a DynamoDB table to store the instance IDs of noncompliant resources. This solution would also require more API calls and storage costs than using AWS Config.

Option B is incorrect because using custom Java code running on an EC2 instance to check and terminate noncompliant EC2 instances is a more cumbersome and error-prone solution than using AWS Config. This solution would require the DevOps engineer to write and maintain the Java code, set up EC2 Auto Scaling for the instance, use an SQS queue and another worker instance to process the instance IDs, use a Lambda function and an SNS topic to terminate and notify the noncompliant instances, and handle any potential failures or exceptions in the workflow. This solution would also incur more compute, storage, and messaging costs than using AWS Config.

Option D is incorrect because using AWS CloudTrail to identify and audit EC2 instances by analyzing the EC2 RunCommand API action is a less reliable and accurate solution than using AWS Config. AWS CloudTrail is a service that enables you to monitor and log the API activity in your AWS account. The EC2 RunCommand API action is used to execute commands on one or more EC2 instances. However, this API action does not necessarily indicate the host placement of the instance, and it may not capture all the instances that are running on EC2 Dedicated Hosts or not. Therefore, option D would not provide a comprehensive and consistent audit of the EC2 instances.

The requirement is specifically to validate critical user journeys and API endpoints after each deployment and before routing traffic . The most direct AWS-native way to test “real” user flows and endpoints automatically is CloudWatch Synthetics canaries , which can run scripted checks (HTTP/API and browser-style journeys).

Option D minimizes operational overhead because it uses a straightforward managed pattern:

Canaries run against the new deployment to validate endpoints and journeys.

CloudWatch alarms trigger when the canaries fail (objective signal of broken journeys/APIs).

The solution then uses alarm-driven rollback (the intent here is automated rollback without writing custom analysis code or managing multi-service workflows).

Why the other options have more overhead or miss the “user journey/API validation” goal as cleanly:

A focuses on ECS task states (healthy/unhealthy tasks). That can detect deployment failures, but it doesn’t validate critical user journeys or API correctness . Also requires custom Lambda logic for analysis + rollback control.

B adds even more moving parts (Application Insights + alarms + EventBridge + Step Functions). Also, monitoring KPIs is not the same as explicitly validating journeys/endpoints before routing traffic .

C is the highest overhead: canaries plus X-Ray instrumentation across all microservices, trace exporting, custom Lambda analysis, etc. That’s heavy compared to canary + alarm.

So D best matches: “validate journeys/endpoints” + “automated detect + rollback” with least operational overhead by relying on managed canaries and alarms rather than custom code/workflows.

Amazon FSx for NetApp ONTAP provides NetApp ONTAP features in AWS, including SnapMirror replication and storage efficiencies like deduplication and compression. Create FSx for ONTAP in each Region and use SnapMirror from on-prem ONTAP to each Region for efficient, incremental replication. Regions can serve data independently of on-prem availability once replicated.