Amazon DOP-C02 Exam - Topic 3 Question 16 Discussion

Actual exam question for Amazon's DOP-C02 exam

Question #: 16
Topic #: 3

A DevOps engineer is implementing governance controls for a company that requires its infrastructure to be housed within the United States. The engineer must restrict which AWS Regions can be used, and ensure an alert is sent as soon as possible if any activity outside the governance policy takes place. The controls should be automatically enabled on any new Region outside the United States (US).

Which combination of actions will meet these requirements? (Select TWO.)

ACreate an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.

BConfigure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.

CUse an AWS Lambda function that checks for AWS service activity and deploy it to all Regions. Write an Amazon EventBridge rule that runs the Lambda function every hour, sending an alert if activity is found in a non-US Region.

DUse an AWS Lambda function to query Amazon Inspector to look for service activity in non-US Regions and send alerts if any activity is found.

EWrite an SCP using the aws: RequestedRegion condition key limiting access to US Regions. Apply the policy to all users, groups, and roles

Show Suggested Answer

Suggested Answer: A, B

To implement governance controls that restrict AWS service usage to within the United States and ensure alerts for any activity outside the governance policy, the following actions will meet the requirements:

A) Create an AWS Organizations SCP that denies access to all non-global services in non-US Regions. Attach the policy to the root of the organization.This action will effectively prevent users and roles in all accounts within the organization from accessing services in non-US Regions12.

B) Configure AWS CloudTrail to send logs to Amazon CloudWatch Logs and enable it for all Regions. Use a CloudWatch Logs metric filter to send an alert on any service activity in non-US Regions.This action will allow monitoring of all AWS Regions and will trigger alerts if any activity is detected in non-US Regions, ensuring that the governance team is notified as soon as possible3.

AWS Documentation on Service Control Policies (SCPs) and how they can be used to manage permissions and restrict access based on Regions12.

AWS Documentation on monitoring CloudTrail log files with Amazon CloudWatch Logs to set up alerts for specific activities3.

by Ammie at Dec 26, 2023, 10:47 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Sommer

3 months ago

I disagree, D doesn't seem relevant to the governance controls needed.

upvoted 0 times

...

Sheron

3 months ago

Wait, can you really restrict regions like that? Sounds tricky!

upvoted 0 times

...

Raina

3 months ago

Not sure about C, seems a bit overkill for just checking regions.

upvoted 0 times

...

Tora

4 months ago

I think B is also a good option for monitoring.

upvoted 0 times

...

Arthur

4 months ago

Definitely A and E, those are solid choices!

upvoted 0 times

...

Anabel

4 months ago

I feel like option E is definitely a strong choice for restricting access, but I’m not completely convinced about the alerting part. Maybe B or C would be better for that?

upvoted 0 times

...

Cristy

4 months ago

I think option C is interesting because it involves a Lambda function and EventBridge, but I’m not sure if it’s the most efficient way to enforce the governance policy.

upvoted 0 times

...

Effie

4 months ago

I'm a bit unsure about the best way to monitor activity. I feel like option B makes sense with CloudTrail and CloudWatch, but I also recall something about Lambda functions from a practice question.

upvoted 0 times

...

Mattie

5 months ago

I remember we discussed using Service Control Policies (SCPs) in class. I think option A or E could be right since they both seem to restrict access to non-US Regions.

upvoted 0 times

...

Tanesha

5 months ago

This question looks tricky, but I think I can handle it. I'm leaning towards a combination of the SCP approach (option E) and the Lambda function to monitor for activity (option C). That should give us the control and visibility we need.

upvoted 0 times

...

Toi

5 months ago

Okay, I think I've got a good strategy for this. I'll go with option B to set up CloudTrail logging and CloudWatch alerts, and then option E to create an SCP to limit access to US Regions. That should cover the key requirements.

upvoted 0 times

...

Reuben

5 months ago

Hmm, I'm a bit unsure about the best approach here. There are a few options presented, and I'm not sure which combination would be the most effective. I'll need to carefully review the details of each choice.

upvoted 0 times

...

Ciara

5 months ago

This seems like a straightforward question about implementing governance controls for AWS infrastructure. I think the key is to restrict access to non-US Regions and set up alerts for any activity outside the policy.

upvoted 0 times

...

Loren

5 months ago

Wait, is it the central limit theorem? That's a big deal in statistics too. I'm a little unsure, but I'll go with that for now and see if it makes sense.

upvoted 0 times

...

Dulce

5 months ago

Okay, I think I've got this. The key is understanding how Outlook handles task updates received via email. I'll analyze each option and choose the one that best fits the scenario.

upvoted 0 times

...

Adelina

5 months ago

I'm not entirely sure about this one. I'll need to review my notes on vendor selection for custom-developed products to make sure I'm answering correctly.

upvoted 0 times

...

Stefanie

2 years ago

Haha, I like how they're really trying to trip us up with these options. D is just wild, using Amazon Inspector to look for activity? That seems like overkill. And E, while it might work, feels a bit too restrictive. I'd rather have the visibility and alerting that B and C provide.

upvoted 0 times

Scarlet

2 years ago

Agreed, it's better to be safe than sorry.

upvoted 0 times

...

Jani

2 years ago

It's important to have precise governance controls in place.

upvoted 0 times

...

Dannette

2 years ago

I like the idea of being alerted on any non-US region activity.

upvoted 0 times

...

Sherill

2 years ago

Definitely, having CloudTrail logs and Lambda function checks seem more practical.

upvoted 0 times

...

Erinn

2 years ago

I think B and C offer better visibility and alerting.

upvoted 0 times

...

Lou

2 years ago

Yeah, using Amazon Inspector feels like a bit too much.

upvoted 0 times

...

Daniel

2 years ago

I agree, D does seem a bit extreme.

upvoted 0 times

...

Merlyn

2 years ago

What about C? Using a Lambda function to check for activity in non-US regions could work too, and it gives us a bit more flexibility than the SCP approach. Plus, the EventBridge rule to run it hourly is a nice way to keep an eye on things.

upvoted 0 times

...

Mona

2 years ago

Yeah, I agree. A and B both seem like solid options, but I'm leaning more towards B since it gives us that centralized logging and alerting capability. Sending an alert as soon as possible is crucial, so I like the CloudWatch Logs metric filter idea.

upvoted 0 times

...

Stanford

2 years ago

Hmm, this is an interesting one. Let's see, I think the key here is to restrict access to non-US regions and set up some kind of alert mechanism. The SCP option in A sounds promising, but I'm not sure if it covers all the non-global services. And B seems like a good way to monitor activity, but we'd need to figure out how to filter for just the non-US regions.

upvoted 0 times

...