DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Option A is incorrect because EventBridge rules cannot filter events based on the message body or attributes of the target service. Therefore, configuring an SNS subscription filter policy to match the CloudFormation stack will not work. The SNS topic will receive all events from the EventBridge rule, regardless of the stack name or drift status.

Option B is incorrect because it introduces unnecessary complexity and cost. Creating a second Lambda function to query the CloudFormation API for the drift detection results is redundant, since CloudFormation already publishes drift detection events to EventBridge. Moreover, invoking two Lambda functions every hour will incur more charges than invoking one.

Option C is incorrect because GuardDuty does not provide drift detection for CloudFormation stacks. GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It does not monitor or report on configuration changes or drifts in CloudFormation stacks.

Option D is correct because it leverages AWS Config and its managed rule for drift detection. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It can detect configuration changes and drifts in CloudFormation stacks using the cloudformation-stack-drift-detection-check managed rule. This rule triggers an AWS Config event when a stack drifts from its expected template configuration. By creating a second EventBridge rule that reacts to this event for the specific stack, the DevOps engineer can configure the SNS topic as a target and receive a notification as soon as possible when drift is detected.

The “fan-out” batch build type in AWS CodeBuild allows running multiple builds in parallel for different subsets of tests, reducing overall test execution time. CodeBuild then aggregates the results into a single consolidated report. This approach is detailed in the AWS documentation under “Batch builds and parallel execution with CodeBuild.”

The company needs fast, proactive alerts for future performance issues, beyond basic EC2 metrics. Option A provides a complete, AWS-native monitoring pattern aligned with best practices:

Enable detailed monitoring on EC2 instances to increase metric resolution (from 5-minute to 1-minute intervals), improving the responsiveness of alarms.

Define custom CloudWatch metrics for application-level indicators such as request latency, error rate, queue depth, or throughput. These metrics can be published from the application or sidecar agents.

Create CloudWatch alarms on both infrastructure (CPU, network, disk) and custom application metrics with thresholds that reflect performance SLOs. Alarms can notify teams via SNS or incident management tools.

Use CloudWatch Logs Insights to analyze logs for recurring error patterns, slow requests, or exceptions when alarms fire.

Option B focuses on tracing and frontend RUM; while useful, it is more complex and not necessary just to get quick alerts. Option C uses services (CloudTrail, GuardDuty, Trusted Advisor) that are not focused on real-time performance detection. Option D with VPC Flow Logs is network-level and would not detect general application performance issues.

Thus, Option A offers a direct, efficient way to detect and alert on performance degradations quickly.