ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 125 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 125
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A global company manages multiple AWS accounts by using AWS Control Tower. The company hosts internal applications and public applications.

Each application team in the company has its own AWS account for application hosting. The accounts are consolidated in an organization in AWS Organizations. One of the AWS Control Tower member accounts serves as a centralized DevOps account with CI/CD pipelines that application teams use to deploy applications to their respective target AWS accounts. An IAM role for deployment exists in the centralized DevOps account.

An application team is attempting to deploy its application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster in an application AWS account. An IAM role for deployment exists in the application AWS account. The deployment is through an AWS CodeBuild project that is set up in the centralized DevOps account. The CodeBuild project uses an IAM service role for CodeBuild. The deployment is failing with an Unauthorized error during attempts to connect to the cross-account EKS cluster from CodeBuild.

Which solution will resolve this error?

  • A. Configure the application account’s deployment IAM role to have a trust relationship with the centralized DevOps account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.
  • B. Configure the centralized DevOps account’s deployment IAM role to have a trust relationship with the application account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the centralized DevOps account’s deployment IAM role to allow the required access to CodeBuild.
  • C. Configure the centralized DevOps account’s deployment IAM role to have a trust relationship with the application account. Configure the trust relationship to allow the sts:AssumeRoleWithSAML action. Configure the centralized DevOps account’s deployment IAM role to allow the required access to CodeBuild.
  • D. Configure the application account’s deployment IAM role to have a trust relationship with the AWS Control Tower management account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by 2pk at May 13, 2023, 11:33 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Certified101
Highly Voted 1 year, 9 months ago
Selected Answer: A
A. Configure the application account’s deployment IAM role to have a trust relationship with the centralized DevOps account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions. Options B, C, and D are not correct because the centralized DevOps account’s deployment IAM role doesn't need to trust the application account, it's the other way around. The sts:AssumeRoleWithSAML action in option C is used for federation from a SAML 2.0 compliant identity provider and is not necessary in this scenario. Lastly, there's no need to have a trust relationship with the AWS Control Tower management account as in option D, as the interaction is directly between the DevOps account and the application account.
upvoted 10 times
...
thanhnv142
Highly Voted 1 year, 2 months ago
Selected Answer: A
A is correct: <Unauthorized error during attempts to connect> means we need to setup relevant permissions and policies - A is correct because < AWS CodeBuild project that is set up in the centralized DevOps account>, so we should setup trust relationship on the account that has resources, which is the application account and allow codebuild from centralized account assume it B and C are wrong: we need to setup trust from the app account, not the centralized account. D: this option mentions control Tower, which is irrelevant
upvoted 6 times
...
jamesf
Most Recent 9 months ago
Selected Answer: A
A. Configure the application account’s deployment IAM role to have a trust relationship with the centralized DevOps account. - setup trust relationship on the account that has resources, which is the application account Configure the trust relationship to allow the sts:AssumeRole action. - allow CodeBuild from centralized account assume it - CodeBuild is configured in Centralized DevOps account but not in application account. Configure the application account’s deployment IAM role to have the required access to the EKS cluster. Configure the EKS cluster aws-auth ConfigMap to map the role to the appropriate system permissions. - the application account has access to the resources
upvoted 2 times
...
tartarus23
1 year, 10 months ago
Selected Answer: A
(A) This solution addresses the Unauthorized error by allowing the DevOps account to assume the IAM role in the application account that has the necessary permissions to access the EKS cluster. The other options don't provide the necessary cross-account permissions or correctly configure the roles for accessing EKS.
upvoted 3 times
...
walkwolf3
1 year, 10 months ago
B is correct. Unauthorized error happened from CodeBuild in Dev account to EKS cluster in application account, instead of reverse direction.
upvoted 2 times
zain1258
1 year, 5 months ago
CodeBuild is configured in Centralized DevOps account not in application account.
upvoted 2 times
...
...
2pk
1 year, 11 months ago
I'd like to add more, don't get the source and destination mixed up. Because the Application team must deploy resources in the Dev account. So, the source should be the Application team and the destination should be the Dev team.
upvoted 3 times
...
PhuocT
1 year, 11 months ago
Selected Answer: A
A is correct
upvoted 1 times
...
ParagSanyashiv
1 year, 11 months ago
A is correct Answer
upvoted 1 times
...
2pk
1 year, 11 months ago
Answer is A. In the source AWS account, the IAM role used by the CI/CD pipeline should have permissions to access the source code repository, build artifacts, and any other resources required for the build process. In the destination AWS accounts, the IAM role used for deployment should have permissions to access the AWS resources required for deploying the application, such as EC2 instances, RDS databases, S3 buckets, etc. The exact permissions required will depend on the specific resources being used by the application. the IAM role used for deployment in the destination accounts should also have permissions to assume the IAM role for deployment in the centralized DevOps account. This is typically done using an IAM role trust policy that allows the destination account to assume the DevOps account role.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago