DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Amazon S3 can generate server access logs that record detailed information about each request, including requester, bucket, key, operation, time, and status. These logs are written as objects to an S3 bucket. To analyze access patterns, the simplest and most serverless approach is to use Amazon Athena directly on those logs without building ingestion pipelines or databases.

Option B enables S3 server access logging and then creates an Athena external table over the log bucket. AWS provides standard log formats and even example schemas for S3 access logs. The analytics team can run ad hoc SQL queries to count the number of accesses per object per time period, filter by user, and perform aggregations, all without provisioning compute or managing databases.

Option A requires ingesting logs into Aurora, which adds ETL complexity and ongoing database management. Option C requires a Lambda function for every access event plus DB writes, which is more complex and potentially expensive at scale. Option D uses CloudWatch Logs and Managed Flink, which is more suited for streaming analytics and is significantly more complex than necessary for monthly summary reports.

Therefore, Option B provides the required analysis with the least development and operational effort.

The question focuses on detecting supply chain attacks that bypass CI/CD controls and result in malicious runtime behavior in the deployed serverless application. This requires runtime threat detection, not just static scanning or infrastructure validation.

Amazon GuardDuty is AWS’s managed threat detection service. GuardDuty now includes Lambda Protection, which analyzes Lambda function behavior, including network calls, IAM API usage, and other signals to detect compromised functions, crypto-mining, data exfiltration, and other malicious activity. GuardDuty automatically ingests CloudTrail, VPC Flow Logs (if enabled), and other telemetry without requiring code changes or agents. Findings are published and can be routed to Amazon EventBridge for near real-time notifications or automated remediation.

Option A (AWS WAF) only inspects HTTP requests to API Gateway and is focused on known bad patterns, not deeper behavioral anomalies. Option C (CloudFormation Guard) is focused on infrastructure-as-code validation in the pipeline, which explicitly does not help once malicious code is deployed. Option D (Network Firewall with Emerging Threats rules) protects VPC traffic, but serverless components like Lambda and API Gateway may not all traverse that firewall, and it is not targeted at function-level behavior.

Hence, enabling GuardDuty with Lambda Protection and using EventBridge notifications is the correct solution.

A- D - This option correctly utilizes AWS CodePipeline to invoke the CodeBuild job and create CloudFormation change sets. It adds a manual approval step before executing the change sets and starting the AWS CodeDeploy deployment. This ensures that the deployment process is automated while retaining the final manual approval step.