DOP-C02 · Question #256
DOP-C02 Question #256: Real Exam Question with Answer & Explanation
The correct answer is B: Set up S3 replication between the production S3 bucket and the development S3 bucket. Activate. Explanation Options B and D work together to meet all requirements: D establishes the development environment using the existing CloudFormation template in a separate AWS account with its own KMS customer managed keys, ensuring environment isolation and encryption separation. B s
Question
A company has an application that stores data that includes personally identifiable information (PII) in an Amazon S3 bucket. All data is encrypted with AWS Key Management Service (AWS KMS) customer managed keys. All AWS resources are deployed from an AWS CloudFormation template. A DevOps engineer needs to set up a development environment for the application in a different AWS account. The data in the development environment's S3 bucket needs to be updated once a week from the production environment's S3 bucket. The company must not move PII from the production environment without anonymizing the PII first. The data in each environment must be encrypted with different KMS customer managed keys. Which combination of steps should the DevOps engineer take to meet these requirements? (Choose two.)
Options
- AActivate Amazon Macie on the S3 bucket in the production account. Create an AWS Step
- BSet up S3 replication between the production S3 bucket and the development S3 bucket. Activate
- CSet up an S3 Batch Operations job to copy files from the production S3 bucket to the
- DCreate a development environment from the CloudFormation template in the development
- ECreate a development environment from the CloudFormation template in the development
Explanation
Explanation
Options B and D work together to meet all requirements: D establishes the development environment using the existing CloudFormation template in a separate AWS account with its own KMS customer managed keys, ensuring environment isolation and encryption separation. B sets up S3 replication between the production and development buckets, and by activating Amazon Macie alongside the replication configuration with a Lambda function or data transformation step, PII can be detected and anonymized before data lands in the development bucket - satisfying the weekly sync and PII anonymization requirements.
Why the distractors are wrong: Option A alone (using Macie with Step Functions) doesn't address the actual data transfer or development environment setup - it's only a detection mechanism without a complete solution. Option C (S3 Batch Operations) could copy files but doesn't natively handle PII anonymization or ensure different KMS keys are used automatically. Option E appears to be a duplicate or variation of D without the critical replication component, making it incomplete on its own.
💡 Memory Tip: Think "Build then Replicate Safely" - first Build the dev environment from the same CloudFormation template (D), then Replicate data with Macie activated to catch and anonymize PII before it moves (B). Macie = detection, Replication = transfer; you need both for a compliant data pipeline.
Topics
Community Discussion
No community discussion yet for this question.