DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

Step 1: Reacting to CloudFormation Stack Events with EventBridgeAWS CloudFormation emits events during the lifecycle of a stack, including the UPDATE_COMPLETE event after a successful stack update. You can use Amazon EventBridge to detect this event and trigger a specific action (such as invoking a Lambda function).

Action: Create an EventBridge rule that listens for the UPDATE_COMPLETE event for the CloudFormation stack.

Why: EventBridge allows you to automatically detect CloudFormation stack lifecycle events and take action based on them.

Step 2: Invoking the Lambda FunctionAfter the EventBridge rule detects the UPDATE_COMPLETE event, it can invoke the pre-configured Lambda function to apply or update the tag on the specific CloudFormation stack instance.

Action: Configure the EventBridge rule to invoke the Lambda function when the UPDATE_COMPLETE event occurs.

Why: This automation ensures that the tag is applied immediately after a successful stack update without any manual intervention.

AWS Control Tower provides Account Factory and Account Factory Customizations (AFC) as the lowest-overhead and most scalable method for creating and configuring new accounts. AFC allows you to define blueprints that include mandatory baseline resources such as IAM roles, logging configurations, guardrails, network settings, and tagging standards. When accounts are created through Account Factory using a customization blueprint, all controls and baseline configurations are applied automatically during provisioning, without any additional automation steps or StackSet deployments.

Option B requires running StackSets after the account is created, which adds manual management overhead and defeats the built-in automation advantages of Control Tower. Options C and D rely on manually provisioning accounts via AWS Organizations, which bypasses Control Tower’s governance and would require custom Lambda or StackSet automation to replicate controls that Control Tower already provides automatically.

Because the question explicitly asks for the least operational overhead, the correct answer is to use the Control Tower AFC blueprint, ensuring every account is born compliant with the required guardrails and baseline configuration.

The operating system (Amazon Linux) uses yum for package management. To use both the default and a custom repository, the simplest method is to add the custom repository configuration file under /etc/yum.repos.d/ using the yum-config-manager CLI, and enable it. This allows the system to access both repositories during patching automatically.

This approach requires minimal setup and effort and leverages the existing yum patching mechanisms.

Option A and D involve managing multiple patch baselines in Systems Manager Patch Manager, which does not natively support custom repositories — it relies on the underlying OS package manager.

Option B (Direct Connect) is not necessary unless network connectivity is an issue.

Thus, option C meets the requirement with the least effort.