Amazon Web Services Updated DOP-C02 Exam Questions and Answers by emil

https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html

EKS control plane nodes are fully managed by AWS and are not accessible for configuration, SSH, SSM commands, or custom workloads. Therefore, any prefetching of container images must occur on the worker nodes (EC2 instances in the node groups) because those are the machines that pull and cache container images before running pods.

Option C is the only solution that aligns with AWS architecture:

It creates an IAM role allowing Systems Manager Run Command to execute on EC2 worker nodes.

It uses node group tags to target the correct nodes dynamically.

State Manager runs the prefetch script whenever triggered by the EventBridge automation — ensuring newly added nodes pre-pull images and reduce cold-start latency to seconds.

Options A and D are invalid because you cannot run Systems Manager commands on EKS control plane nodes; AWS manages them and does not expose them. Option B incorrectly targets node groups based on machine size, which does not provide reliable node identification or filtering.

Thus, Option C provides the correct, scalable, and supported method for prefetching images across all worker nodes.

These solutions will meet the requirement because they will prevent the loss of notification messages in the future. An Amazon SQS queue is a service that provides a reliable, scalable, and secure message queue for asynchronous communication between distributed components. You can use an SQS queue to buffer messages from an SNS topic and ensure that they are delivered and processed by a Lambda function, even if the function or the database is temporarily unavailable.

Option C will configure an SQS dead-letter queue for the SNS topic. A dead-letter queue is a queue that receives messages that could not be delivered to any subscriber after a specified number of retries. You can use a dead-letter queue to store and analyze failed messages, or to reprocess them later. This way, you can avoid losing messages that could not be delivered to the Lambda function due to network errors, throttling, or other issues.

Option D will subscribe an SQS queue to the SNS topic and configure the Lambda function to process messages from the SQS queue. This will decouple the SNS topic from the Lambda function and provide more flexibility and control over the message delivery and processing. You can use an SQS queue to store messages from the SNS topic until they are ready to be processed by the Lambda function, and also to retry processing in case of failures. This way, you can avoid losing messages that could not be processed by the Lambda function due to database errors, timeouts, or other issues.

The correct answer is C. Configuring AWS CloudTrail to send log data events to an Amazon CloudWatch Logs log group and creating a CloudWatch logs metric filter to match failed ConsoleLogin events is the simplest and most efficient way to monitor and alert on failed login attempts. Creating a CloudWatch alarm that is based on the metric filter and configuring an alarm action to send messages to the SNS topic will ensure that the security team is notified when multiple failed login attempts occur. This solution requires the least operational effort compared to the other options.

Option A is incorrect because it involves configuring AWS CloudTrail to send log management events instead of log data events. Log management events are used to track changes to CloudTrail configuration, such as creating, updating, or deleting a trail. Log data events are used to track API activity in AWS accounts, such as login attempts. Therefore, option A will not capture the failed ConsoleLogin events.

Option B is incorrect because it involves creating an Amazon Athena query and two Amazon EventBridge rules to monitor and alert on failed login attempts. This is a more complex and costly solution than using CloudWatch logs and alarms. Moreover, option B relies on the query returning a failure, which may not happen if the query is executed successfully but does not find any failed logins.

Option D is incorrect because it involves configuring AWS CloudTrail to send log data events to an Amazon S3 bucket and configuring an Amazon S3 event notification for the s3:ObjectCreated event type. This solution will not work because the s3:ObjectCreated event type does not allow filtering by ConsoleLogin failed events. The event notification will be triggered for any object created in the S3 bucket, regardless of the event type. Therefore, option D will generate a lot of false positives and unnecessary notifications.

AWS CloudTrail Log File Examples

Creating CloudWatch Alarms for CloudTrail Events: Examples

Monitoring CloudTrail Log Files with Amazon CloudWatch Logs