DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The question emphasizes “MOST securely” and involves a multi-account backup strategy with a centralized backup account. AWS Backup best practice for high-security environments is to use customer managed KMS keys for encrypting backup vaults rather than AWS managed keys. Customer managed keys provide tighter control over key lifecycle, key policies, and cross-account access.

Option A creates encrypted backup vaults in both the source and centralized accounts, each protected by a customer managed KMS key in that account. AWS Backup is then configured to create full EC2 backups (AMIs) and copy them to the centralized backup vault. This design ensures:

Encryption at rest in both accounts.

Independent key control and policies per account.

Secure cross-account backup copy behavior governed by explicit KMS key grants and vault access policies.

Option B incorrectly uses the source account’s KMS key to encrypt vaults in both accounts, which is not the recommended pattern; each account should manage its own CMK. Options C and D rely partially or fully on AWS managed keys, which are less appropriate when the requirement explicitly stresses maximum security and control.

Therefore, Option A best satisfies both the RPO/RTO goals (daily AMI backups with rapid restore) and the strongest encryption posture.

The Amazon SQS service publishes several standard CloudWatch metrics by default, including ApproximateNumberOfMessagesVisible, which represents the number of messages available for retrieval from the queue (i.e., the number of messages waiting to be processed). This is the primary metric to monitor queue backlog and processing delays.

Using ApproximateNumberOfMessagesVisible to monitor the visible messages in the queue gives a direct and near real-time indication of processing delays or backlog.

CloudWatch metrics are automatically collected and available without the need to create custom metrics or Lambda functions, which increases operational efficiency by reducing complexity and maintenance overhead.

Setting a CloudWatch alarm on this metric with a static threshold and a reasonable evaluation period (such as 1 hour) is sufficient to alert the team when the queue grows beyond an expected size.

The alarm can be directly configured to send notifications to an existing SNS topic, maintaining seamless integration with the team’s alerting mechanisms.

The ApproximateNumberOfMessagesDelayed metric refers to messages that are delayed and not available for processing yet due to delay settings, which is not the direct backlog that causes business process delays.

Options C and D introduce unnecessary complexity by requiring Lambda functions and custom metrics or scheduled invocations, which reduce operational efficiency compared to using built-in CloudWatch metrics and alarms.

Reference from AWS Official Documentation and Study Guide:

Amazon SQS Monitoring with CloudWatch Metrics: " Amazon SQS automatically sends metrics to CloudWatch, including ApproximateNumberOfMessagesVisible, which shows the number of messages available for retrieval. " (Source: Amazon SQS Monitoring - AWS Documentation)

Setting CloudWatch Alarms for SQS Queues: " You can create CloudWatch alarms on SQS metrics such as ApproximateNumberOfMessagesVisible to receive notifications when the queue size exceeds a threshold. " (Source: Amazon CloudWatch Alarms - AWS Documentation)

AWS DevOps Engineer Professional Exam Guide: " Efficient alerting for queue backlogs should leverage native CloudWatch metrics to minimize operational overhead. " (Source: Official AWS Certified DevOps Engineer Professional Study Guide)