Home/amazon aws/Free AWS DOP-C02 Actual Exam Questions/Question 12

Free AWS DOP-C02 Actual Exam Questions - Question 12 Discussion

Question No. 12

A company uses Amazon RDS for all databases in Its AWS accounts The company uses AWS Control
Tower to build a landing zone that has an audit and logging account All databases must be encrypted
at rest for compliance reasons. The company's security engineer needs to receive notification about
any noncompliant databases that are in the company's accounts
Which solution will meet these requirements with the MOST operational efficiency?

Select one option, then reveal solution.

Haris G.

2026-02-20

It’s A because Control Tower guardrails automate compliance checks without extra setup.

Brian S.

2026-02-17

A, Control Tower guardrails handle this natively, no custom code needed.

Omar E.

2026-02-15

A, since Control Tower’s guardrail directly flags encryption issues without extra coding.

Liam P.

2026-02-12

A, since Control Tower guardrails automate compliance checks and alert centrally.

Liam P.

2026-02-10

A/B? A looks good for simplicity and central control with Control Tower, but B’s Lambda method might catch edge cases that guardrails miss. Both avoid heavy infra, but B feels more thorough across accounts.

Liam P.

2026-02-09

Option D feels too manual and heavy with EC2 and cron jobs, which is less efficient than serverless options. Could the Control Tower guardrail in A really catch every non-encrypted RDS instance automatically, or might some slip through?

Brian O.

2026-02-08

I think option B makes sense as well because deploying Lambda functions via StackSets provides a highly scalable and automated way to check encryption status across all accounts. It avoids relying solely on Control Tower guardrails, which might not cover every edge case. Plus, using CloudWatch metrics and alarms is a clean way to centralize notifications without spinning up extra infrastructure like EC2 instances. So from an operational efficiency perspective, B balances automation and coverage pretty well.

Brian O.

2026-02-03

It’s B because Lambda functions scale well across accounts without extra infra to manage.

Brian O.

2026-01-27

Probably B makes sense too because Lambda with StackSets automates checks everywhere and uses CloudWatch for alerts. This avoids manual setup and keeps things scalable without extra EC2 management.

Andre X.

2026-01-25

Option A seems best since Control Tower guardrails handle compliance automatically and route events centrally, avoiding the extra setup and maintenance of Lambda or EC2. It’s definitely more operationally efficient.

Andrew X.

2026-01-21

Maybe B. Using Lambda with StackSets automates checks across accounts without manual setup, so it scales well and avoids the overhead of EC2 maintenance or custom Config rules.

Haris N.

2026-01-16

Is the question implying that the notification system needs to be centralized in the audit and logging account? If so, options B and D seem more distributed or manual. Also, does Control Tower’s guardrail cover all RDS encryption modes, or only default settings? Could the custom AWS Config rule in option C be more flexible across accounts, or does it add too much maintenance overhead? Wondering if enabling the Control Tower detective guardrail (option A) is enough for this use case without extra Lambda or EC2 work. Is there any detail about whether existing detective controls are already in pl