ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 121 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 121
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company is building a new pipeline by using AWS CodePipeline and AWS CodeBuild in a build account. The pipeline consists of two stages. The first stage is a CodeBuild job to build and package an AWS Lambda function. The second stage consists of deployment actions that operate on two different AWS accounts: a development environment account and a production environment account. The deployment stages use the AWS CloudFormation action that CodePipeline invokes to deploy the infrastructure that the Lambda function requires.

A DevOps engineer creates the CodePipeline pipeline and configures the pipeline to encrypt build artifacts by using the AWS Key Management Service (AWS KMS) AWS managed key for Amazon S3 (the aws/s3 key). The artifacts are stored in an S3 bucket. When the pipeline runs, the CloudFormation actions fail with an access denied error.

Which combination of actions must the DevOps engineer perform to resolve this error? (Choose two.)

  • A. Create an S3 bucket in each AWS account for the artifacts. Allow the pipeline to write to the S3 buckets. Create a CodePipeline S3 action to copy the artifacts to the S3 bucket in each AWS account. Update the CloudFormation actions to reference the artifacts S3 bucket in the production account.
  • B. Create a customer managed KMS key. Configure the KMS key policy to allow the IAM roles used by the CloudFormation action to perform decrypt operations. Modify the pipeline to use the customer managed KMS key to encrypt artifacts.
  • C. Create an AWS managed KMS key. Configure the KMS key policy to allow the development account and the production account to perform decrypt operations. Modify the pipeline to use the KMS key to encrypt artifacts.
  • D. In the development account and in the production account, create an IAM role for CodePipeline. Configure the roles with permissions to perform CloudFormation operations and with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In the CodePipeline account, configure the CodePipeline CloudFormation action to use the roles.
  • E. In the development account and in the production account, create an IAM role for CodePipeline. Configure the roles with permissions to perform CloudFormation operations and with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In the CodePipeline account, modify the artifacts S3 bucket policy to allow the roles access. Configure the CodePipeline CloudFormation action to use the roles.
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by Jeanphi72 at May 9, 2023, 9:52 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lunt
Highly Voted 2 years, 1 month ago
Selected Answer: BE
C = AWS KMS fundamentals. Cannot modify AWS managed KMS key policies. No Cross account access = will not work. Not sure why there is even a discussion on this. Associate level basics.
upvoted 14 times
svjl
1 year, 6 months ago
You van modify the key policies, it is a managed key. What is wrong is change it to use for different account. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html
upvoted 2 times
robertohyena
1 year, 6 months ago
From your link: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html When changing a key policy, keep in mind the following rules: - You can view the key policy for an AWS managed key or a customer managed key, but you can only change the key policy for a customer managed key. - The policies of AWS managed keys are created and managed by the AWS service that created the KMS key in your account. - You cannot view or change the key policy for an AWS owned key.
upvoted 2 times
heff_bezos
9 months, 1 week ago
From your link: "You can add or remove IAM users, IAM roles, and AWS accounts in the key policy, and change the actions that are allowed or denied for those principals." The answer is BE because you don't want to grant permissions to the KMS key for an ENTIRE account, you'd want to allow access for a particular role.
upvoted 1 times
...
...
...
...
youonebe
Most Recent 6 months, 1 week ago
Selected Answer: BD
there is no need to modify the artifacts S3 bucket policy to allow the roles access
upvoted 1 times
...
jamesf
11 months, 1 week ago
Selected Answer: BE
B - Cannot modify AWS managed KMS key policies. E - Cross account access and we need bucket policies also to be updated, if its same account then we do not need bucket policies permissions
upvoted 2 times
...
xdkonorek2
1 year ago
Selected Answer: BD
BD, try it yourself, create account with a bucket, create role with access to s3 operations, and trust policy for another account. role assumed by another account has full access to s3 resources thereby it's not needed to set up resource policy on s3 bucket
upvoted 3 times
...
Venki_dev
1 year ago
Selected Answer: BD
Answer is BD , I have recently implemented similar solution, and my S3 bucket do not have any policy configured , my IAM role has required KMS key permission and it worked. modifying the S3 bucket policy, but this is not necessary if the IAM roles are correctly configured and used by the CodePipeline CloudFormation action
upvoted 1 times
Venki_dev
1 year ago
I switch to BE , because its cross account access and we need bucket policies also to be updated, if its same account then we do not need bucket policies permissions
upvoted 3 times
...
...
c3518fc
1 year, 2 months ago
Selected Answer: BD
Nobody is saying why we are modifying the artifacts in S3 in Option E in the Codecommit account. Doesn't seem to make sense to me.
upvoted 1 times
...
dkp
1 year, 2 months ago
Selected Answer: BE
BE. are correct
upvoted 2 times
...
thanhnv142
1 year, 4 months ago
B and E are correct: <fail with an access denied error.> this means there are issues with policies and permissions. A: no mention of policies C: This is what the dev team has tried but failed. Can not modify managed key policy, can only view it D: no mention of configuring S3 bucket policy
upvoted 4 times
...
robertohyena
1 year, 6 months ago
Selected Answer: BE
exact steps are in this doc https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
upvoted 3 times
...
YR4591
1 year, 8 months ago
Selected Answer: BE
It's BE, According to this, aws managed kms key can't be used cross account: https://repost.aws/knowledge-center/cross-account-access-denied-error-s3 "Warning: AWS managed AWS KMS key policies can't be modified because they're read-only. However, you can always view both the AWS managed KMS key policies and customer managed KMS key policies. Because AWS managed KMS key policies can't be updated, cross-account permissions also can't be granted for those key policies. Additionally, objects that are encrypted using an AWS managed KMS key can't be accessed by other AWS accounts. For customer managed KMS key policies, you can change the key policy only from the AWS account that created the policy."
upvoted 4 times
...
Certified101
1 year, 11 months ago
Selected Answer: BE
BE, bucket policy needs to be amended also as it will assume roles in the prod and dev account
upvoted 3 times
...
habros
1 year, 11 months ago
Selected Answer: BE
BE. CMEK = you determine access (key policy) and rotation period (you define instead of 365 days for AWS managed keys). Perfect for cross account resources.
upvoted 2 times
...
Mail1964
2 years, 1 month ago
Selected Answer: BE
You can view the key policy for an AWS managed key or a customer managed key, but you can only change the key policy for a customer managed key.
upvoted 4 times
...
devnv
2 years, 1 month ago
CE for me
upvoted 1 times
...
2pk
2 years, 1 month ago
B & E , i guess too
upvoted 2 times
2pk
2 years, 1 month ago
I thought again, it should be A & E correct. B is worng becasue The access denied error typically occurs when the IAM roles used by the CloudFormation action lack the necessary permissions to access the required resources. Therefore, option B does not directly address the access denied error in the given scenario.
upvoted 1 times
...
...
PhuocT
2 years, 1 month ago
Selected Answer: BE
I think it is B and E
upvoted 2 times
...
Jeanphi72
2 years, 1 month ago
Selected Answer: CE
Questions says: "A DevOps engineer creates the CodePipeline pipeline and configures the pipeline to encrypt build artifacts by using the AWS Key Management Service (AWS KMS) AWS managed key for Amazon S3 (the aws/s3 key)." not CMK ...
upvoted 3 times
sb333
1 year, 11 months ago
Answer C is incorrect because you cannot "create" an AWS-managed key or modify its key policy. In order to modify a key policy, you need an customer-managed key (Answer B). The question states they used an AWS-managed key, but got an error. So you have to re-evaluate how to make this work, which requires a customer-managed key. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel