Free AWS DOP-C02 Actual Exam Questions - Question 6 Discussion

B imo, it combines permission denial with automated compliance checks and alerts.

This is tricky but I’d go with C because it’s about removing permissions from developers completely, and the scheduled Lambda keeps checking for violations regularly. That double check feels safer than just relying on Config alerts. C

D imo, because it adds an extra layer by using IAM roles with deny permissions on production instances themselves, not just the developers' groups. This means even if someone slips through the IAM group policies or uses a different identity, the instance’s role blocks the action. Plus, AWS Config can continuously monitor any Elastic IP association on those instances and send alerts, catching any accidental or unauthorized attachments. It seems more fail-safe than just relying on user-level permissions or scheduled Lambda checks.

B, it covers prevention and real-time alerts based on production tags.

C imo works well too because it focuses on removing associate-address permissions from developers entirely, which is a straightforward way to prevent Elastic IP attachments. Plus, the scheduled Lambda checking production tags adds a second layer of detection, so even if something slips through, the security team gets notified. It’s a bit more hands-on than B but covers both prevention and alerting without relying solely on IAM policies with potentially complex scopes.

I’m not sure about D because IAM roles on instances don’t control who can attach Elastic IPs, right? Seems like denying permissions directly (like in B) makes more sense for stopping the action itself. Could be missing something?

B tbh makes the most sense since you can directly deny the permission and also have a Config rule for continuous compliance and alerting. Other options either miss one or the other part.

Maybe B