DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

AWS CodeDeploy natively supports automatic rollback based on CloudWatch alarms . To use this capability, you define an alarm that indicates unhealthy behavior (for example, increasing application error rate) and attach that alarm to the deployment group in CodeDeploy. If the alarm goes into ALARM state during or after a deployment, CodeDeploy automatically rolls back to the last known good revision when auto rollback is enabled.

Option A correctly implements this pattern:

Derive a CloudWatch metric from application logs (e.g., count of error-level log entries or HTTP 5xx responses).

Create a CloudWatch alarm on that metric with appropriate thresholds.

Configure the deployment group to use the alarm as part of its alarm configuration and enable auto rollback .

Option B uses CodeDeploy agent logs, which may not directly reflect true application health and couples rollback logic tightly to deployment internals rather than application behavior. Options C and D implement custom rollback logic with Lambda and EventBridge, which re-create behavior that CodeDeploy already provides natively and add unnecessary operational and code complexity.

Therefore, Option A is the simplest and most aligned with built-in CodeDeploy features for automated rollback based on application errors.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

The correct answer is B because AWS Config can continuously evaluate the account-level S3 Block Public Access configuration by using a managed rule. When the configuration becomes noncompliant, AWS Config can trigger automatic remediation through an AWS Systems Manager Automation runbook to restore the required settings.

This solution directly satisfies both requirements:

Detect changes to account-level S3 public access settings.

Automatically revert those changes so that all public access is blocked again.

Why the other options are incorrect:

A. Security Hub is primarily for aggregated security findings and controls visibility. It is not the most direct or standard service for continuous configuration evaluation with automatic remediation of this specific setting.

C. An SCP can restrict permissions, but it does not automatically detect and revert changes to S3 Block Public Access settings.

D. Amazon Macie is for discovering and protecting sensitive data, not for continuously enforcing and remediating S3 Block Public Access account settings.

To implement a control that requires the use of IMDSv2 on all EC2 instances in the account, the DevOps engineer can use a permissions boundary. A permissions boundary is a policy that defines the maximum permissions that an IAM entity can have. The DevOps engineer can create a permissions boundary that prevents the ec2:RunInstance action if the ec2:MetadataHttpTokens condition key is not set to a value of required. This condition key enforces the use of IMDSv2 on EC2 instances. The DevOps engineer can attach the permissions boundary to the IAM role that was used to launch the instance. This way, any attempt to launch an EC2 instance without using IMDSv2 will be denied by the permissions boundary.