AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 338

A company has a web application that is hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The EKS cluster runs on AWS Fargate that is available through an internet-facing Application Load Balancer.

The application is experiencing stability issues that lead to longer response times. A DevOps engineer needs to configure observability in Amazon CloudWatch to troubleshoot the issue. The solution must provide only the minimum necessary permissions.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Deploy the CloudWatch agent as a Kubernetes StatefulSet to the EKS cluster.
• B. Deploy the AWS Distro for OpenTelemetry Collector as a Kubernetes DaemonSet to the EKS cluster.
• C. Associate a Kubernetes service account with an IAM role by using IAM roles for service accounts in Amazon EKS. Use the CloudWatchAgentServerPolicy AWS managed policy.
• D. Associate a Kubernetes service account with an IAM role by using IAM roles for service accounts in Amazon EKS. Use the CloudWatchAgentAdminPolicy AWS managed policy.
• E. Configure an IAM OpenID Connect (OIDC) provider for the EKS cluster.
• F. Enable EKS control plane logging for the EKS cluster.

Correct answer: A, C, F

Explanation

Deploying the CloudWatch agent as a Kubernetes StatefulSet is required because AWS Fargate does not support DaemonSets, which rules out Option B. Associating the service account with the CloudWatchAgentServerPolicy provides the minimum necessary permissions to send metrics to CloudWatch, whereas CloudWatchAgentAdminPolicy grants unnecessary administrative privileges. Finally, enabling EKS control plane logging provides essential diagnostic information regarding cluster performance and API server interactions to help troubleshoot the stability issues.