DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Options C and D are not as effective because IAM permission boundaries are applied to IAM entities (users, groups, and roles), not the account itself, and must be applied to all IAM entities in the account.

 The correct solution is to create a new assertion safety rule in Route 53 ARC and apply it to the two routing controls. An assertion safety rule is a type of safety rule that ensures that a minimum number of routing controls are always enabled. The ATLEAST type of assertion safety rule specifies the minimum number of routing controls that must be enabled for the rule to evaluate as healthy. By setting the threshold to 1, the rule ensures that at least one routing control is always turned on. This prevents the scenario where both routing controls are accidentally turned off and the application becomes unavailable in both Regions.

The other solutions are incorrect because they do not use safety rules to prevent both routing controls from being turned off. A gating safety rule is a type of safety rule that prevents routing control state changes that violate the rule logic. The OR type of gating safety rule specifies that one or more routing controls must be enabled for the rule to evaluate as healthy. However, this rule does not prevent a user from turning off both routing controls manually. A resource set is a collection of resources that are tested for readiness by Route 53 ARC. A readiness check is a test that verifies that all the resources in a resource set are operational. However, these concepts are not related to routing control states or safety rules. Therefore, creating a new resource set and a new readiness check will not ensure that at least one routing control is turned on at all times. References:

Routing control in Amazon Route 53 Application Recovery Controller

Viewing and updating routing control states in Route 53 ARC

Creating a control panel in Route 53 ARC

Creating safety rules in Route 53 ARC

The key requirement is to prevent non-approved EC2 instance types from being created at stack creation time , specifically when developers deploy AWS CloudFormation stacks. This is a pre-deployment enforcement requirement, not a detection or remediation requirement after resources already exist.

CloudFormation Guard Hooks are purpose-built for this use case. They allow organizations to define policy-as-code rules that validate CloudFormation templates before resources are created or updated. By writing a CloudFormation Guard rule that explicitly checks the InstanceType property against an approved allow list, the stack operation will fail immediately if a developer attempts to use a disallowed instance type. This enforces compliance early in the deployment lifecycle and avoids post-deployment cleanup.

Option B uses AWS Config, which only detects noncompliance after resources are created. Even with remediation, the instance would still be launched briefly, which violates the requirement. Option C uses an SCP, which applies broadly to all EC2 launches in the organization and is not limited to CloudFormation stacks; this is overly restrictive and could unintentionally block other valid use cases. Option A incorrectly combines Lambda with Guard Hooks—Guard Hooks natively evaluate Guard rules and do not invoke Lambda functions.

Therefore, using a CloudFormation Guard rule with a Guard Hook is the correct and AWS-recommended solution for enforcing approved EC2 instance types during CloudFormation deployments.