AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 365

A company has multiple development teams in separate business units that work in a single shared AWS account. All Amazon EC2 resources that users create in the account must include tags that specify which user created the resources. The tagging must occur within the first hour of resource creation.

A DevOps engineer needs to add tags to new resources that include the ID of the user that created the resource and the appropriate cost center ID. The DevOps engineer configures an AWS Lambda function to use the cost center mappings to tag the resources. The DevOps engineer also sets up AWS CloudTrail in the shared AWS account. An Amazon S3 bucket stores the CloudTrail event logs.

Which solution will meet the tagging requirements?

Answer options

• A. Create an S3 event notification on the S3 bucket to invoke the Lambda function for s3:ObjectTagging:Put events. Enable bucket versioning on the S3 bucket.
• B. Enable server access logging on the S3 bucket. Create an S3 event notification on the S3 bucket for s3:ObjectTagging:* events.
• C. Enable AWS Config in the account. Configure the required-tags AWS managed rule to check and update the required tags.
• D. Create an Amazon EventBridge rule that uses Amazon EC2 as the event source. Configure the rule to match events that CloudTrail delivers. Configure the rule to target the Lambda function.

Correct answer: D

Explanation

Amazon EventBridge can capture EC2 API calls delivered by AWS CloudTrail in near-real-time and trigger the AWS Lambda function to apply the required tags immediately after resource creation. Options A and B are incorrect because S3 event notifications for S3 object tagging do not capture EC2 creation events from CloudTrail logs stored in S3. Option C is incorrect because AWS Config managed rules like required-tags can identify non-compliant resources but do not automatically extract the creator's identity from CloudTrail to update the tags.