DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

A comprehensive and detailed explanation is:

Option A is incorrect because EventBridge rules cannot filter events based on the message body or attributes of the target service. Therefore, configuring an SNS subscription filter policy to match the CloudFormation stack will not work. The SNS topic will receive all events from the EventBridge rule, regardless of the stack name or drift status.

Option B is incorrect because it introduces unnecessary complexity and cost. Creating a second Lambda function to query the CloudFormation API for the drift detection results is redundant, since CloudFormation already publishes drift detection events to EventBridge. Moreover, invoking two Lambda functions every hour will incur more charges than invoking one.

Option C is incorrect because GuardDuty does not provide drift detection for CloudFormation stacks. GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads. It does not monitor or report on configuration changes or drifts in CloudFormation stacks.

Option D is correct because it leverages AWS Config and its managed rule for drift detection. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It can detect configuration changes and drifts in CloudFormation stacks using the cloudformation-stack-drift-detection-check managed rule. This rule triggers an AWS Config event when a stack drifts from its expected template configuration. By creating a second EventBridge rule that reacts to this event for the specific stack, the DevOps engineer can configure the SNS topic as a target and receive a notification as soon as possible when drift is detected.

Comprehensive and Detailed Explanation From Exact Extract:

To restrict access to S3 buckets so that only IAM principals from within the AWS Organization can access them, anSCP(Service Control Policy) with conditions using the aws:PrincipalAccount or preferably aws:PrincipalOrgID can be applied at the OU level.

SCPs restrict the maximum permissions for IAM entities in member accounts and can be used to enforce access control policies across accounts.

The aws:PrincipalAccount condition restricts access to principals from specific accounts, while aws:PrincipalOrgID restricts based on the organization ID.

IAM permissions boundaries (Option B) cannot be applied organization-wide and do not enforce restrictions across accounts.

AWS RAM (Option C) is for sharing resources but does not restrict S3 bucket access based on organizational principals.

There is no such thing as an RCP in AWS Organizations (Option D is invalid).