DOP-C02 Question #398: Real Exam Question with Answer & Explanation

Question

A company has multiple development teams in separate business units that work in a single shared AWS account. All Amazon EC2 resources that users create in the account must include tags that specify which user created the resources. The tagging must occur within the first hour of resource creation. A DevOps engineer needs to add tags to new resources that include the ID of the user that created the resource and the appropriate cost center ID. The DevOps engineer configures an AWS Lambda function to use the cost center mappings to tag the resources. The DevOps engineer also sets up AWS CloudTrail in the shared AWS account. An Amazon S3 bucket stores the CloudTrail event logs. Which solution will meet the tagging requirements?

Options

• ACreate an S3 event notification on the S3 bucket to invoke the Lambda function for
• BEnable server access logging on the S3 bucket. Create an S3 event notification on the S3 bucket
• CEnable AWS Config in the account. Configure the required-tags AWS managed rule to check and
• DCreate an Amazon EventBridge rule that uses Amazon EC2 as the event source. Configure the

Explanation

Option D is correct. Creating an Amazon EventBridge rule that monitors EC2 API calls (such as RunInstances) in near-real-time allows the Lambda function to be triggered immediately when a new EC2 resource is created, capturing the user ID from the CloudTrail event data and applying the appropriate tags well within the one-hour requirement.

Why the others are wrong:

• Option A relies on S3 event notifications from CloudTrail log delivery, which introduces significant delay (CloudTrail logs are typically delivered to S3 every 5–15 minutes, plus processing time), making it unreliable for the one-hour tagging window and adding unnecessary complexity.
• Option B adds server access logging on top of S3, which tracks S3 bucket access rather than EC2 resource creation events - this is irrelevant to the tagging requirement and adds no value.
• Option C AWS Config's required-tags rule checks for tag compliance but does not automatically apply tags; it only reports non-compliant resources, so it doesn't fulfill the automated tagging requirement.

Memory Tip: Think "EventBridge = Real-Time Reactions." Whenever you need to immediately respond to AWS API events (like EC2 creation), EventBridge is your go-to service - it captures CloudTrail events in near-real-time and triggers Lambda directly, bypassing the S3 delivery delay entirely.

No community discussion yet for this question.