AWS Certified Professional DOP-C02 Exam Questions and Answers PDF

The current design colocates the web tier, database, and cache on the same EC2 instances. This causes resource contention and makes it difficult to scale each layer independently. The correct solution is to separate these concerns into independently scalable managed services.

Option D uses an Application Load Balancer (ALB) in front of an Auto Scaling group for the web application. ALB is designed for HTTP/HTTPS traffic, supports path-based and host-based routing, and can spread load evenly across multiple instances and Availability Zones, eliminating the issue where one instance is overloaded.

The database is migrated to Amazon Aurora with Multi-AZ , which provides high availability, automated failover, and managed backups. Aurora offloads database management and ensures consistent performance.

For caching, Option D introduces Amazon ElastiCache for Redis , a managed in-memory cache that is purpose-built for low-latency reads, independent scaling, and high availability through replication and clustering.

Option A and C misuse NLB for HTTP traffic or for Redis exposure and introduce unnecessary complexity. Option B keeps Redis on EC2 (via NLB + ASG in a single AZ), which reduces availability and does not leverage managed caching.

Thus, Option D best separates tiers and improves performance and availability.

Accessing a secret from AWS Secrets Manager that is encrypted with a customer managed KMS key requires two distinct permission layers to succeed:

Secrets Manager permissions (via IAM) such as secretsmanager:GetSecretValue for the IAM role assumed by the Kubernetes service account.

KMS key usage permissions in the KMS key policy , allowing the same IAM principal to perform kms:Decrypt (and possibly kms:GenerateDataKey ) on the customer managed key.

In this scenario, the service account assumes an IAM role explicitly created to access the secrets. The symptom is an HTTP 403 “Access Denied” when retrieving the secret. If the IAM role has Secrets Manager permissions but the call still fails, the typical root cause is that the KMS key policy does not trust or allow that IAM role , so the decrypt operation fails.

Option B correctly identifies that the KMS key policy must include the Kubernetes service account IAM role as a principal with the appropriate KMS actions.

Option A and C refer to the EKS cluster IAM role, which is not the principal making the call. Option D is unrelated: the role’s ability to “access the EKS cluster” does not affect its ability to call Secrets Manager or KMS. The missing KMS key policy permission is the underlying cause.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

During an Amazon ECS service deployment, if tasks fail the Elastic Load Balancing target group health checks, Amazon ECS considers those tasks unhealthy and stops and replaces them. This behavior can cause the deployment to remain incomplete because healthy replacement tasks never become available.

Also, if an essential container in the task exits, the entire task stops. Since the question states that the new tasks enter a stopped state soon after launch, an essential container failure is a direct and highly likely cause.

Why the other options are incorrect:

B. The IAM role used by the DevOps engineer to update the ECS service does not need RunTask permission for the tasks to remain running after launch. A permission issue here would more likely affect the update action itself rather than cause launched tasks to stop shortly afterward.

C. Although CloudWatch Logs configuration problems can affect logging, the missing log group is not the most likely direct reason for ECS tasks to repeatedly stop in this deployment scenario.

D. The task role provides permissions to the application code running inside the container. It is not the role primarily responsible for launching the task. Task startup is typically related to the task execution role, ECS service behavior, container health, and load balancer checks.