DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

The requirements clearly indicate the need for modern CodePipeline capabilities, strict execution ordering, Git tag–based triggers, and loose coupling between pipelines. CodePipeline V2 introduces execution modes such as QUEUED and SUPERSEDED, along with native support for advanced trigger filtering when using AWS CodeConnections.

The requirement that the pipeline must wait for the previous run to finish directly maps to QUEUED mode, which ensures that pipeline executions run sequentially rather than replacing in-progress executions. SUPERSEDED mode would cancel the running execution, which violates the requirement.

Triggering the pipeline when new Git tags are pushed is supported through CodePipeline V2 trigger filters using refs/tags/*. Branch-based triggers would not satisfy this condition.

Finally, the requirement that an existing deployment pipeline runs in response to new container images is best met using Amazon EventBridge, which natively emits events for ECR image push actions. EventBridge allows decoupled, event-driven orchestration between pipelines without tight dependencies or custom scripting. This is the AWS-recommended approach for pipeline-to-pipeline coordination.

Options C and D rely on CodePipeline V1, which lacks modern trigger filtering and execution control. Option B incorrectly uses SUPERSEDED mode and branch-based triggers.

Therefore, Option A correctly combines CodePipeline V2, QUEUED execution mode, tag-based triggers, and EventBridge-driven pipeline chaining, meeting all requirements with best practices and minimal operational complexity.

Short Explanation: To meet the requirements, the DevOps engineer should update the SAML assertion to pass the user’s team name, update the IAM role’s trust policy to add an access-team session tag that has the team name, create an IAM permissions boundary in each account, and for each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.

Updating the SAML assertion to pass the user’s team name allows the DevOps engineer to use IAM tags to identify which team a user belongs to. This can help enforce fine-grained access control based on the user’s team membership1.

Updating the IAM role’s trust policy to add an access-team session tag that has the team name allows the DevOps engineer to use IAM condition keys to restrict access based on the session tag value2. For example, the DevOps engineer can use the aws:PrincipalTag condition key to match the access-team tag of the user with the access-team tag of the repository3.

Creating an IAM permissions boundary in each account allows the DevOps engineer to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries4. For example, the DevOps engineer can use a permissions boundary policy to limit the actions that a user can perform on CodeCommit repositories based on their access-team tag5.

For each CodeCommit repository, adding an access-team tag that has the value set to the name of the associated team allows the DevOps engineer to use resource tags to identify which team manages a repository. This can help enforce fine-grained access control based on the resource tag value6.

The other options are incorrect because:

Creating an approval rule template for each team in the Organizations management account is not a valid option, as approval rule templates are not supported by AWS Organizations. Approval rule templates are specific to CodeCommit and can only be associated with one or more repositories in the same AWS Region where they are created7.

Creating an approval rule template for each account is not a valid option, as approval rule templates are not designed to restrict access to modify branches. Approval rule templates are designed to require approvals from specified users or groups before merging pull requests8.

Attaching an SCP to the accounts is not a valid option, as SCPs are not designed to restrict access based on tags. SCPs are designed to restrict access based on service actions and resources across all users and roles in an organization’s account9.

The best solution to log and review all stopped tasks for errors is to use Amazon EventBridge and Amazon CloudWatch Logs. Amazon EventBridge allows the DevOps engineer to create a rule that matches task state change events from Amazon ECS. The rule can then send the event data to Amazon CloudWatch Logs as the target. Amazon CloudWatch Logs can store and monitor the log data, and also provide CloudWatch Logs Insights, a feature that enables the DevOps engineer to interactively search and analyze the log data. Using CloudWatch Logs Insights, the DevOps engineer can filter and aggregate the log data based on various fields, such as cluster, task, container, and reason. This way, the DevOps engineer can easily identify and investigate the stopped tasks and their errors.

The other options are not as effective or efficient as the solution in option A. Option B is not suitable because the embedded metric format is designed for custom metrics, not for logging task state changes. Option C is not feasible because the EC2 instances do not store the task state change events in their logs. Option D is not relevant because the EC2_INSTANCE_TERMINATING lifecycle hook is triggered when an EC2 instance is terminated by the Auto Scaling group, not when a task is stopped by Amazon ECS.

Creating a CloudWatch Events Rule That Triggers on an Event - Amazon Elastic Container Service

Sending and Receiving Events Between AWS Accounts - Amazon EventBridge

Working with Log Data - Amazon CloudWatch Logs

Analyzing Log Data with CloudWatch Logs Insights - Amazon CloudWatch Logs

Embedded Metric Format - Amazon CloudWatch

Amazon EC2 Auto Scaling Lifecycle Hooks - Amazon EC2 Auto Scaling