DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Option B is the correct choice and has the least operational overhead because ECR lifecycle policies are the native, managed feature built specifically to automate image cleanup:

ECR lifecycle policies can expire images based on image age (e.g., images older than X days) and can also enforce retaining a minimum number of images (count-based retention), which directly matches the requirement “retain at least a specified number of images.”

Lifecycle policies work for both tagged and untagged images using rule selection and tagging status filters, so the repository stays clean without custom automation.

Why the other options are not appropriate / higher overhead:

A is invalid: ECR is not S3; S3 lifecycle policies do not manage ECR images .

C and D introduce custom automation (Lambda or SSM scripting), scheduling, permissions, error handling, retries, logging, and ongoing maintenance—higher overhead than a managed lifecycle policy.

To ensure that CloudTrail cannot be disabled in any member account, the control must be enforced above the individual accounts, at the organization level , and must not be overridable by local administrators. AWS Service Control Policies (SCPs) provide exactly this capability: they define permission guardrails that apply to all IAM users, roles, and even the root user in accounts within an AWS Organizations OU.

By applying an SCP that explicitly denies cloudtrail:StopLogging and cloudtrail:DeleteTrail , the organization prevents any principal in the affected accounts from disabling logging or deleting the trails, regardless of their IAM permissions. This provides strong, centralized enforcement of audit logging.

Option B uses IAM policies in each account. Local administrators with sufficient privileges could modify or detach those policies, defeating the control. Option C only sends notifications and does not prevent the action. Option D with AWS Config auto-remediation still allows a window where CloudTrail is disabled and also can be disabled or modified itself.

Therefore, the most robust and least bypassable approach is to use an SCP at the OU level to deny CloudTrail stop and delete actions.

Create an EC2 Image Builder Pipeline that Uses a Container Recipe to Build the Image:

EC2 Image Builder simplifies the creation, maintenance, validation, and sharing of container images.

By using a container recipe, you can define the base image, components, and validation tests for your container image.

Configure the Pipeline to Distribute the Image to Amazon Elastic Container Registry (Amazon ECR) Repositories in All Three Regions:

Amazon ECR provides a secure, scalable, and reliable container registry.

Configuring the pipeline to distribute the image to ECR repositories in us-west-2, us-east-2, and eu-central-1 ensures that the image is available in all required regions.

Configure the Pipeline to Run Weekly:

Setting the pipeline to run on a weekly schedule ensures that the base image is regularly updated and published, incorporating any new security configurations or updates.

By using EC2 Image Builder to automate the creation and distribution of the container image, the solution ensures that the base image is consistently maintained and available across multiple regions with minimal management overhead.