ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 199 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 199
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml file for an AWS CodeBuild project and provide recommendations. The buildspec.yaml file is configured as follows:



What changes should be recommended to comply with AWS security best practices? (Choose three.)

  • A. Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users.
  • B. Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable.
  • C. Store the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables.
  • D. Move the environment variables to the ‘db-deploy-bucket’ Amazon S3 bucket add a prebuild stage to download, then export the variables.
  • E. Use AWS Systems Manager run command versus scp and ssh commands directly to the instance.
  • F. Scramble the environment variables using XOR followed by Base64, add a section to install, and then run XOR and Base64 to the build phase.
Show Suggested Answer Hide Answer
Suggested Answer: ABC 🗳️
by CloudFloater at March 1, 2023, 8:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
CloudFloater
Highly Voted 2 years, 3 months ago
Selected Answer: ABC
Option A: Remove temporary files post-build. Option B: Remove AWS credentials from environment. Option C: Store DB_PASSWORD in Parameter Store. Option D: Move environment variables to S3. ok, ABC options above will meet requirement. Option E: Using SSM run command is good for securing instances not directly related to this process. Option F: Scramble environment variables is adding complexity.
upvoted 8 times
...
YR4591
Most Recent 1 year, 7 months ago
Selected Answer: BCE
A is wrong. In no artifact are provided to the code-build run, all the files are automatically removed at the end of the build.
upvoted 1 times
...
easytoo
2 years, 1 month ago
ABC seems correct here.
upvoted 2 times
...
ParagSanyashiv
2 years, 1 month ago
Selected Answer: BCE
BCE are the most suitable options for the given scenario.
upvoted 3 times
...
stalos
2 years, 3 months ago
BCE: A is wrong. No need to tidy up after CodeBuild invocation. Post build has other purpose: phases/post_build Optional sequence. Represents the commands, if any, that CodeBuild runs after the build. For example, you might use Maven to package the build artifacts into a JAR or WAR file, or you might push a Docker image into Amazon ECR. Then you might send a build notification through Amazon SNS. phases/post_build/commands Required if post_build is specified. Contains a sequence of scalars, where each scalar represents a single command that CodeBuild runs after the build. CodeBuild runs each command, one at a time, in the order listed, from beginning to end.
upvoted 4 times
...
SHoKMaSTeR
2 years, 3 months ago
Selected Answer: BCE
NOT A. When a container is terminated, if no volume is mounted, everything will be deleted. B. Role with permissions, no need to have an AWS User with Access Key/secret access key. C. A way to inject secrets as env vars E. System Manager is designed for that! In the build command, we are getting from S3 a file called my.cnf and SSH keys (instance.keys) and we are running some commands for having SSH conectividy from the EC2 instance to the instance with the IP 10.25.15.23 for copying there the my.cnf file and restrating the MySQL server ...
upvoted 3 times
...
Mark1000
2 years, 3 months ago
ABC is correct
upvoted 3 times
...
saeidp
2 years, 3 months ago
Selected Answer: ABC
A B C are the correct ones
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel