AWS X-Ray is the correct service for distributed tracing across microservices. It tracks individual requests as they travel through application components and provides a service map that visually shows dependencies, latency, errors, and bottlenecks. For Amazon ECS, the X-Ray daemon can run as a sidecar container, and the application can be instrumented with the X-Ray SDK. This requires less effort than building custom transaction tracing and gives the CloudOps engineer request-level visibility across services. CloudWatch agents and Container Insights provide metrics and logs, but they do not trace individual user transactions across multiple services. VPC Flow Logs capture network metadata, not application-level request traces or service dependency maps. Therefore, X-Ray with a sidecar daemon and SDK instrumentation is the correct CloudOps monitoring solution.

===============

Amazon Machine Images (AMIs) are Region-specific. An AMI ID that exists in us-west-2 does not automatically exist in eu-west-1. If a CloudFormation template references a hardcoded AMI ID from one Region, stack creation in another Region will fail when that AMI cannot be found.

Additionally, not all AWS services or service features are available in every AWS Region. If the template includes a resource type or feature that is unsupported in eu-west-1, CloudFormation will fail during stack creation.

IAM users are global resources, not Region-specific, so Option A is incorrect. Permission issues would typically fail immediately and are not Region-dependent. Option E is incorrect because CloudFormation can both create and update resources.

Therefore, Region-specific AMIs and unavailable services are the valid reasons for failure.

Amazon CloudWatch Synthetics heartbeat canaries actively test a website by sending periodic requests from AWS-managed locations, closely simulating real user access. This provides an accurate measurement of availability from an end-user perspective, which is a key requirement.

The SuccessPercent metric represents the percentage of successful executions over time and directly maps to website uptime. Creating a CloudWatch alarm on this metric allows the CloudOps engineer to receive SNS notifications when availability drops below the 99% threshold.

Log-based or anomaly-detection approaches do not reliably represent user experience, and broken link checkers focus on content integrity rather than availability. Therefore, a heartbeat canary is the correct solution.

AWS Resource Groups Tag Editor is the correct tool for finding and applying tags to AWS resources across services and Regions. Cost Explorer can show cost allocation gaps, including “No Tagkey,” but it is not the tool used to apply tags to resources. Service control policies can enforce permission boundaries, but they do not retroactively tag resources. AWS Config can detect missing required tags and can support remediation workflows, but terminating resources is clearly destructive and does not solve the financial reporting requirement. In CloudOps cost governance, the clean approach is to use Tag Editor to locate untagged or incorrectly tagged resources and apply the appropriate business-unit tags. After tagging, the company should activate cost allocation tags so future Cost Explorer reports correctly allocate spending.

===============

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The most operationally efficient solution is C because AWS Systems Manager Session Manager is purpose-built for secure, auditable interactive access to EC2 instances at scale—without managing bastion hosts or distributing SSH keys. Session Manager can be configured to log session activity, including commands and output, to durable destinations such as Amazon CloudWatch Logs (and optionally Amazon S3). This directly satisfies the requirement to record interactive sessions and store logs durably.

For automated notifications and alarms, CloudWatch Logs supports metric filters that transform matching log patterns into CloudWatch metrics. Those metrics can then drive CloudWatch alarms and notifications (for example, via Amazon SNS). This is a standard CloudOps pattern: centralize logs, derive metrics from security-relevant patterns, and alert automatically.

Option A and D require installing and operating agents and building a more complex analytics path (Athena queries for alerting), which is less efficient and introduces more moving parts across thousands of instances. Option B adds a bastion host dependency that becomes an operational burden (scaling, patching, hardening, HA) and a potential choke point. Session Manager reduces these burdens by using SSM Agent already installed, IAM-based access control, and centralized logging/monitoring integrations.

Amazon RDS encryption at rest cannot be enabled directly on an existing unencrypted DB instance. AWS guidance states that encryption for an RDS DB instance is enabled when the DB instance is created, not after creation. To convert an unencrypted RDS database to encrypted, the CloudOps engineer must take a snapshot, copy the snapshot while enabling encryption with an AWS KMS key, and then restore a new DB instance from the encrypted snapshot. Restoring from a snapshot creates a new DB instance; it does not overwrite the existing DB instance. Option C is invalid because Multi-AZ standby replicas cannot be independently encrypted and promoted for this purpose. Therefore, creating an encrypted snapshot copy and restoring it as a new DB instance is correct.

===============

Amazon EventBridge receives EC2 instance state-change events and can route matching events directly to a target such as an Amazon SNS topic. This is the most operationally efficient solution because it uses native event-driven integration and does not require scripts, agents, polling, or custom Lambda code. Option A is poor operational design because every instance would need script execution and maintenance. Option C adds an unnecessary Lambda function; EventBridge can publish to SNS directly. Option D misuses AWS Config, which is better suited to configuration compliance and resource-state evaluation, not simple near-real-time notification of every EC2 instance state transition. For CloudOps event monitoring, EventBridge rules are the standard approach for reacting to AWS service events and notifying operators.

===============

Amazon Route 53 Resolver outbound endpoints enable Amazon VPC resources to forward DNS queries to DNS servers that are outside of AWS, such as on-premises DNS servers. Because the company already has AWS Direct Connect in place, DNS queries can be routed privately from the VPC to the on-premises DNS infrastructure without using the public internet.

By creating an outbound endpoint and configuring forwarding rules for the on-premises domains, EC2 instances in the VPC can resolve DNS names dynamically using the existing authoritative DNS servers. This approach requires minimal ongoing maintenance because DNS records continue to be managed centrally in the on-premises DNS system.

Manually populating a private hosted zone or /etc/hosts files would require constant updates and does not scale. Reverse DNS forwarding alone does not solve forward name resolution.

Therefore, using Route 53 Resolver outbound endpoints is the correct solution.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is C. Create a store image task. Specify the image ID and the destination S3 bucket, because this is the only AWS-supported solution that allows an AMI to be backed up to Amazon S3 and later restored while preserving the original AMI ID. This capability is essential for regulatory and compliance requirements where immutable identifiers must be retained.

According to AWS CloudOps documentation for Amazon EC2 AMI lifecycle management, the AMI store and restore feature is specifically designed for long-term retention, audit, and compliance scenarios. When an AMI is stored using a store image task, AWS packages the AMI’s configuration, metadata, and associated snapshots and saves them as encrypted objects in an Amazon S3 bucket. When the AMI is restored, AWS explicitly states that the restored AMI retains the same AMI ID as the original image, ensuring continuity for compliance tracking and operational dependencies.

Option A is incorrect because copying an AMI always results in a new AMI ID, even when copied within the same AWS Region. Option B is incorrect because archiving snapshots to Amazon S3 does not preserve AMI metadata or identity; restoring from snapshots requires creating a new AMI with a different ID. Option D is incorrect because the copy-image command is intended for cross-Region or cross-account AMI duplication and also generates a new AMI ID.

AWS CloudOps best practices clearly identify store image tasks as the correct mechanism when AMI identity preservation is required for governance, auditability, and compliance controls.

IAM user groups allow permissions to be managed centrally and applied to multiple users simultaneously, making them ideal for scalable access management. Attaching policies to groups ensures that changes propagate automatically to all members.

A customer managed policy supports versioning, reuse, and centralized updates, which meets the requirement to modify policies and manage versions over time. AWS managed policies cannot be edited, and inline policies do not support reuse or versioning across multiple principals.

Option A is invalid because service-linked roles are AWS-managed and not designed for user access. Option E lacks versioning and reusability. Option C does not allow customization.

Therefore, using IAM groups with a customer managed policy is the correct and secure solution.