DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

service catalog uses stacksets and can enforce tag and restrict resources AWS Customer case with tag enforcement And Youtube video showing how to restrict resources per user with portfolio

The security team’s requirements emphasize governance, approval control, versioning, and automation with minimal operational overhead. AWS Control Tower natively supports guardrail enablement through the AWS::ControlTower::EnableControl CloudFormation resource, which can target entire organizational units. Managing these resources as CloudFormation templates stored in a Git repository provides built-in version control, change review, and rollback capabilities through standard Git workflows.

Option C implements a GitOps-style approach. Each guardrail is defined declaratively in CloudFormation, scoped at the OU level, ensuring consistent enforcement across all accounts in that OU. Storing the templates in a CodeConnections-compatible Git repository allows the security team to review, approve, and audit changes through pull requests. By configuring AWS CodePipeline in the security team’s account and triggering it automatically via an Amazon EventBridge rule on repository merges, only approved changes are deployed. This ensures that new guardrails are enabled only after explicit approval and that the deployment process is fully automated.

Option A lacks pipeline orchestration and approval workflows. Option B requires manual pipeline invocation and per-account configuration, increasing operational overhead. Option D relies on S3 as the source of truth, which lacks native version control and approval mechanisms compared to Git.

Therefore, Option C provides the most operationally efficient, secure, and auditable solution aligned with AWS Control Tower automation best practices.

The best solution to implement failover for the application is to use CloudFront origin groups. Origin groups allow CloudFront to automatically switch to a secondary origin when the primary origin is unavailable or returns specific HTTP status codes that indicate a failure1. This way, CloudFront can serve the requests from the secondary ALB in the secondary Region without any delay or redirection. To set up origin groups, the DevOps engineer needs to create a new origin on the distribution for the secondary ALB, create a new origin group with the original ALB as the primary origin and the secondary ALB as the secondary origin, and configure the origin group to fail over for HTTP 5xx status codes. Then, the DevOps engineer needs to update the default behavior to use the origin group instead of the single origin2.

The other options are not as effective or efficient as the solution in option B. Option A is not suitable because creating a second CloudFront distribution will increase the complexity and cost of the application. Moreover, using Route 53 alias records with a failover policy will introduce some delay in detecting and switching to the secondary CloudFront distribution, which may not meet the zero-second RTO requirement. Option C is not feasible because CloudFront does not support using Route 53 alias records as origins3. Option D is not advisable because using a CloudFront function to redirect the requests to the secondary ALB will add an extra round-trip and latency to the failover process, which may also not meet the zero-second RTO requirement.

1: Optimizing high availability with CloudFront origin failover - Amazon CloudFront

2: Creating an origin group - Amazon CloudFront

3: Values That You Specify When You Create or Update a Web Distribution - Amazon CloudFront