Changed DOP-C02 Exam Questions

Comprehensive & Detailed Explanation (150–250 words):

AWS Control Tower provides Account Factory and Account Factory Customizations (AFC) as the lowest-overhead and most scalable method for creating and configuring new accounts. AFC allows you to define blueprints that include mandatory baseline resources such as IAM roles, logging configurations, guardrails, network settings, and tagging standards. When accounts are created through Account Factory using a customization blueprint, all controls and baseline configurations are applied automatically during provisioning, without any additional automation steps or StackSet deployments.

Option B requires running StackSets after the account is created, which adds manual management overhead and defeats the built-in automation advantages of Control Tower. Options C and D rely on manually provisioning accounts via AWS Organizations, which bypasses Control Tower’s governance and would require custom Lambda or StackSet automation to replicate controls that Control Tower already provides automatically.

Because the question explicitly asks for the least operational overhead, the correct answer is to use the Control Tower AFC blueprint, ensuring every account is born compliant with the required guardrails and baseline configuration.

When you create a pipeline from CodePipeline during the step-by-step it creates a CloudWatch Event rule for a given branch and repo

like this:

{

"source": [

"aws.codecommit"

],

"detail-type": [

"CodeCommit Repository State Change"

],

"resources": [

"arn:aws:codecommit:us-east-1:xxxxx:repo-name"

],

"detail": {

"event": [

"referenceCreated",

"referenceUpdated"

],

"referenceType": [

"branch"

],

"referenceName": [

"master"

]

}

}

Refactor User Data to Use cfn-init and cfn-hup:

cfn-init helps to bootstrap the instance, installing packages and starting services.

cfn-hup is a daemon that can monitor metadata changes and re-apply configurations when necessary.

Example user data script with cfn-init:

#!/bin/bash

yum update -y

yum install -y aws-cfn-bootstrap

/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServer --region ${AWS::Region}

/opt/aws/bin/cfn-hup

Use Systems Manager State Manager:

State Manager can automatically apply an AWS Systems Manager document to instances at regular intervals, ensuring configurations are kept up-to-date.

Steps:

Create an SSM document that installs and configures your application.

Use State Manager to associate this document with your EC2 instances.

Example SSM document:

{

"schemaVersion": "2.2",

"description": "Install My Application",

"mainSteps": [

{

"action": "aws:runShellScript",

"name": "installApplication",

"inputs": {

"runCommand": [

"yum install -y my-application"

]

}

}

]

}

Create State Manager association:

aws ssm create-association --name "InstallMyApplication" --instance-id --document-version "\$LATEST"

Comprehensive and Detailed Explanation From Exact Extract:

Amazon CloudWatch Logs now supports data protection policies that can mask sensitive data in logs at ingestion time using custom data identifiers. By creating a custom data identifier matching the employee ID pattern (Emp-\d{6}), the administrator can mask those patterns in new log entries automatically.

Assigning an IAM policy that denies the logs:Unmask action to engineers prevents them from seeing unmasked sensitive data, enforcing least privilege access.

This approach is operationally efficient because it uses built-in CloudWatch Logs data protection capabilities without the need for complex custom code or manual log filtering.

Option C requires writing and managing Lambda functions for log transformation, increasing operational overhead. Option D is more complex and reactive rather than preventing the sensitive data exposure. Option B incorrectly references NotAction and managed identifiers that may not match the custom pattern.