DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

You can run custom recipes manually, but the best approach is usually to have AWS OpsWorks Stacks run them automatically. Every layer has a set of built-in recipes assigned each of five lifecycle events—Setup, Configure, Deploy, Undeploy, and Shutdown. Each time an event occurs for an instance, AWS OpsWorks Stacks runs the associated recipes for each of the instance's layers, which handle the corresponding tasks. For example, when an instance finishes booting, AWS OpsWorks Stacks triggers a Setup event. This event runs the associated layer's Setup recipes, which typically handle tasks such as installing and configuring packages

Accessing a secret from AWS Secrets Manager that is encrypted with a customer managed KMS key requires two distinct permission layers to succeed:

Secrets Manager permissions (via IAM) such as secretsmanager:GetSecretValue for the IAM role assumed by the Kubernetes service account.

KMS key usage permissions in the KMS key policy, allowing the same IAM principal to perform kms:Decrypt (and possibly kms:GenerateDataKey) on the customer managed key.

In this scenario, the service account assumes an IAM role explicitly created to access the secrets. The symptom is an HTTP 403 “Access Denied” when retrieving the secret. If the IAM role has Secrets Manager permissions but the call still fails, the typical root cause is that the KMS key policy does not trust or allow that IAM role, so the decrypt operation fails.

Option B correctly identifies that the KMS key policy must include the Kubernetes service account IAM role as a principal with the appropriate KMS actions.

Option A and C refer to the EKS cluster IAM role, which is not the principal making the call. Option D is unrelated: the role’s ability to “access the EKS cluster” does not affect its ability to call Secrets Manager or KMS. The missing KMS key policy permission is the underlying cause.

The key requirement is to prevent non-approved EC2 instance types from being created at stack creation time, specifically when developers deploy AWS CloudFormation stacks. This is a pre-deployment enforcement requirement, not a detection or remediation requirement after resources already exist.

CloudFormation Guard Hooks are purpose-built for this use case. They allow organizations to define policy-as-code rules that validate CloudFormation templates before resources are created or updated. By writing a CloudFormation Guard rule that explicitly checks the InstanceType property against an approved allow list, the stack operation will fail immediately if a developer attempts to use a disallowed instance type. This enforces compliance early in the deployment lifecycle and avoids post-deployment cleanup.

Option B uses AWS Config, which only detects noncompliance after resources are created. Even with remediation, the instance would still be launched briefly, which violates the requirement. Option C uses an SCP, which applies broadly to all EC2 launches in the organization and is not limited to CloudFormation stacks; this is overly restrictive and could unintentionally block other valid use cases. Option A incorrectly combines Lambda with Guard Hooks—Guard Hooks natively evaluate Guard rules and do not invoke Lambda functions.

Therefore, using a CloudFormation Guard rule with a Guard Hook is the correct and AWS-recommended solution for enforcing approved EC2 instance types during CloudFormation deployments.