Scope Overreach — AWS DevOps Engineer (DOP-C02)
You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.
AWS Control Tower When You Only Need One SCP
Requirement: enforce a policy that prevents S3 public access across three production accounts. Competing choices: AWS Organizations SCP versus AWS Control Tower guardrail. Control Tower is the broader, more capable answer — and that's exactly why it's wrong here. The exam tests proportionality. Control Tower carries landing zone setup, Account Factory dependency, and ongoing governance overhead. A single SCP applied at the OU level achieves the stated requirement with no additional surface. Scope the solution to the stated problem.
The Scenario
A company needs to encrypt data at rest in an S3 bucket used for internal analytics reports. You recommend AWS CloudHSM with a custom key store, customer-managed KMS key with automatic rotation, and a key policy restricting access to specific IAM roles. The correct answer is SSE-S3 (Amazon S3-managed keys) — one setting, zero key management, meets the requirement. The scenario said "encrypt at rest." It did not say "FIPS 140-2 Level 3 compliance," "customer-managed key lifecycle," or "cross-account key sharing." CloudHSM is for organizations with regulatory requirements to control their own hardware security modules. You answered a compliance question that was not asked.
How to Spot It
- •Encryption at rest has three levels on S3: SSE-S3 (zero management), SSE-KMS (key policies and rotation control), SSE-C/client-side (you manage everything). The exam gives you a simple encryption requirement and tests whether you select the simplest option. Only escalate to KMS or CloudHSM when the scenario mentions compliance, audit requirements, or cross-account key access.
- •When your answer includes services the scenario never mentioned (CloudTrail for auditing, Config for compliance checking, GuardDuty for threat detection), verify the scenario asked for those capabilities. Solving adjacent problems is over-reaching.
- •VPC endpoints come in two types: Gateway (free, for S3 and DynamoDB) and Interface (costs $0.01/hour per AZ, for everything else). If the scenario asks for private access to S3, a Gateway endpoint is free. Recommending PrivateLink Interface endpoints for S3 is scope overreach and adds unnecessary cost.
Decision Rules
When the requirement is to block a privileged action before it occurs across a defined set of accounts, a deny-based SCP scoped to the relevant OU is the correct control; any solution that adds landing-zone enrollment, conformance packs, or detective-remediation loops overreaches the stated constraint.
Whether to enforce the approved-region constraint via a targeted Deny SCP on the production OU in AWS Organizations — preventive, zero per-account deployment, and non-overridable by member accounts — versus implementing a broader solution such as a Control Tower landing zone rebuild, Account Factory customization pipeline, or per-account Config rule with Lambda auto-remediation.
Whether to satisfy a single-account PCI-DSS encryption-at-rest and key-rotation requirement using AWS KMS automatic rotation plus AWS Config managed rules, or to overscope the solution by deploying organization-wide controls (SCPs, Security Hub aggregation, CloudHSM clusters) that exceed the stated compliance boundary and introduce unjustified operational complexity.
Whether a purpose-built CloudTrail organization trail → CloudWatch Logs metric filter → EventBridge alert chain satisfies the continuous-audit-trail and detection-latency-sla constraints, or whether enabling AWS Security Hub with GuardDuty is warranted — recognizing that the latter occupies the aggregation-and-finding-correlation layer, not the direct API-call audit and sub-5-minute alert layer.
Whether the least-privilege and credential-rotation-automation constraints are fully satisfied by layering IAM Identity Center permission sets (grant scoping), Organizations SCPs (deny guardrails), and Secrets Manager native rotation (automated lifecycle) — versus oversolving with a custom Lambda-backed credential vending machine or per-account IAM boundary policies that add operational complexity without closing any gap the managed services leave open.
When the compliance boundary is a single AWS account and the regulation mandates annual key rotation, AWS Config (kms-key-rotation-enabled managed rule) plus KMS automatic rotation is the least-overhead solution that satisfies the requirement; choosing CloudHSM with BYOK and custom Lambda rotation, or organization-wide Security Hub aggregation, overreaches the stated single-account boundary and introduces hardware HSM or cross-account operational complexity that the regulation does not require.
Whether a targeted CloudTrail management-event stream with a CloudWatch Logs metric filter and alarm satisfies the detection-latency SLA within the stated single-account scope, or whether the solution must expand to a GuardDuty plus Security Hub finding pipeline that is architecturally designed for multi-source threat aggregation and exceeds the stated boundary.
Domain Coverage
Difficulty Breakdown
Related Patterns