DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

To archive CloudWatch Logs to S3 with long-term retention, you need:

a streaming mechanism to move data from CloudWatch Logs to S3, and

an S3 Lifecycle policy to handle tiering and expiration.

Option B uses a CloudWatch Logs subscription filter that targets Amazon Data Firehose . Firehose provides managed, scalable streaming from CloudWatch Logs to S3 with optional buffering and transformation. This is the AWS-recommended pattern for exporting continuous log streams with minimal operational overhead. Option C is not valid because CloudWatch Logs subscription filters cannot directly target S3; they must target Kinesis, Firehose, or Lambda.

Once logs are in S3, the company wants to keep them rarely accessed after 90 days and retained for 10 years. Option D configures an S3 lifecycle policy to transition logs to S3 Glacier Instant Retrieval after 90 days, which is a low-cost archival tier with relatively fast access, and to expire (delete) logs after 3,650 days (10 years). This precisely matches the retention requirement.

Option E uses Reduced Redundancy, which is a legacy storage class and not optimized for long-term archival. Therefore, the correct combination is B and D .

Service-managed StackSets are the correct low-overhead deployment model when AWS Organizations trusted access is enabled. CloudFormation creates and manages the required StackSet execution roles, so self-managed permissions are unnecessary. However, AWS explicitly states that service-managed StackSets do not deploy stacks to the organization management account, even if the management account is part of the organization or belongs to an OU. Therefore, targeting the root OU deploys to the member accounts, but the management account still needs a separate normal CloudFormation stack. Option B is the only answer that covers both the member accounts and the management account with the least operational overhead. Option A misses the management account, while C and D require unnecessary self-managed role administration.

================

SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Options C and D are not as effective because IAM permission boundaries are applied to IAM entities (users, groups, and roles), not the account itself, and must be applied to all IAM entities in the account.