DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The correct answer is C.

Option A is incorrect because using CloudWatch metrics to create a custom expression that identifies the CloudWatch log groups that have the most data being written to them is not a valid solution. CloudWatch metrics do not provide information about the size or volume of data being ingested by CloudWatch logs. CloudWatch metrics only provide information about the number of events, bytes, and errors that occur within a log group or stream. Moreover, creating a custom expression with CloudWatch metrics would require using the search_web tool, which is not necessary for this use case.

Option B is incorrect because using CloudWatch Logs Insights to create a set of queries for the application log groups to identify the number of logs written for a period of time is not a valid solution. CloudWatch Logs Insights can help analyze and filter log events based on patterns and expressions, but it does not provide information about the cost or billing of CloudWatch logs. CloudWatch Logs Insights also charges based on the amount of data scanned by each query, which could increase the logging costs further.

Option C is correct because using AWS Cost Explorer to generate a cost report that details the cost for CloudWatch usage is a valid solution. AWS Cost Explorer is a tool that helps visualize, understand, and manage AWS costs and usage over time. AWS Cost Explorer can generate custom reports that show the breakdown of costs by service, region, account, tag, or any other dimension. AWS Cost Explorer can also filter and group costs by usage type, which can help identify the specific CloudWatch log groups that are the source of the increased logging costs.

Option D is incorrect because using AWS CloudTrail to filter for CreateLogStream events for each application is not a valid solution. AWS CloudTrail is a service that records API calls and account activity for AWS services, including CloudWatch logs. However, AWS CloudTrail does not provide information about the cost or billing of CloudWatch logs. Filtering for CreateLogStream events would only show when a new log stream was created within a log group, but not how much data was ingested or stored by that log stream.

Only the Organizations management account (or roles in that account) can call organizations:CreateAccount directly. When moving the Lambda function to a different (dedicated) account, the correct pattern is to perform cross-account role assumption into a role that resides in the management account and has tightly scoped Organizations permissions.

Option A describes exactly this:

Create an IAM role in the management account with only the required Organizations permissions (for example, organizations:CreateAccount and related read permissions).

Configure the trust policy on that role to allow it to be assumed by the Lambda execution role in the new account.

Update the Lambda code to call sts:AssumeRole into the management-account role before invoking the Organizations API.

This approach ensures that:

The Lambda function can create new accounts, but only via the management account.

The Lambda execution role in the dedicated account has no direct Organizations permissions; it only has permission to assume the specific role.

Option B is incorrect because “delegated administration for Organizations” in the generic sense is not how CreateAccount is exposed; account creation remains a management-account responsibility. Options C and D either misconfigure trust or introduce unnecessary Control Tower complexity. Cross-account assume-role from the dedicated account into the management account is the correct and least-privilege solution.