DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Running unit tests in the build phase and aborting on failure (OnFailure=ABORT) prevents deployment if tests fail.

AWS CDK assertions module provides programmatic unit tests against synthesized templates (Option D).

The --rollback flag relates to CloudFormation stack rollback, not test gating.

The --require-approval flag controls manual approvals, not test outcomes.

cdk diff checks for changes but is not a unit test and may not catch logical errors.

The requirement is to immediately detect and terminate EC2 instances involved in cryptocurrency mining with the least development effort. Amazon GuardDuty is the AWS-native service specifically designed to detect malicious activities such as crypto-mining by continuously analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty includes managed threat intelligence and predefined findings like CryptoCurrency:EC2/BitcoinTool.B!DNS and CryptoCurrency:EC2/BitcoinTool.B!IP, which directly identify mining behavior without custom detection logic.

Option C leverages this built-in capability. Once GuardDuty is enabled, findings are automatically generated when mining activity is detected. These findings are sent to Amazon EventBridge in near real time. An EventBridge rule can filter for cryptocurrency-related findings and trigger an AWS Lambda function. The Lambda function can then identify the affected EC2 instance and terminate it or adjust the Auto Scaling group to replace it. This approach requires minimal custom code and no log parsing, scheduled jobs, or analytics pipelines.

Options A and B rely on custom log analysis, periodic execution, and maintaining lists of mining domains or IPs, which significantly increases complexity and response time. Option D uses AWS Security Hub, which aggregates findings from GuardDuty and other services but is not intended for immediate, low-latency remediation.

Therefore, Option C provides the fastest detection, immediate response, and lowest development overhead using AWS-managed threat detection services.

To prevent ApplicationA from being installed on the additional instance, the deployment group configuration needs to be more specific. By changing the current single tag group to include only the Environment=Production tag and adding another single tag group that includes only the Name=ApplicationA tag, the deployment process will target only the instances that match both tag groups. This ensures that only instances intended for ApplicationA with the correct environment and name tags will receive the deployment, thus excluding the additional instance with the Department=Marketing and Name=ApplicationB tags.

AWS CodeDeploy Documentation: Working with instances for CodeDeploy

AWS CodeDeploy Documentation: Stop a deployment with CodeDeploy

Stack Overflow Discussion: CodeDeploy Deployment failed to stop Application