DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

To allow an EC2 instance to access CodeArtifact, an IAM role attached via an instance profile must be granted permissions to access the CodeArtifact repository. The EC2 instance assumes this role.

The instance then uses the AWS CLI command aws codeartifact login to authenticate and configure the package manager (e.g., pip) to use the CodeArtifact repository. This command obtains an authorization token and sets up repository credentials securely on the instance.

Service-linked roles (Option A) are managed by AWS services, not used for instance access. CodeArtifact does not support ACLs (Option C), and resource-based policies (Option B) do not grant access to EC2 instances by principal.

This method is standard for securely managing credentials and access to CodeArtifact in automated deployments.

This is a classic AWS Organizations governance design:

Restrict Regions and allowed services across all accounts

The correct Organizations mechanism for account-wide guardrails is a Service Control Policy (SCP) .

SCPs set the maximum permissions that accounts/OUs can use, making them the right tool to enforce “only these Regions” and “only these services” consistently across the org.

Authentication from Active Directory + consistent job-function roles in every account

With AD as the identity source, the standard approach is federation to AWS using an IAM identity provider (SAML) and role assumption based on job function.

AWS CloudFormation StackSets is the operationally efficient way to deploy identical IAM roles/policies into multiple accounts/OUs so job-function permissions are consistent everywhere.

The roles’ trust policies can be configured to allow federated identities (from the AD-backed IdP) to assume the correct job role in each account.

Why the other options don’t fit:

A “OU with group policies” isn’t an AWS Organizations control mechanism for restricting Regions/services. The AWS-native control for this is SCPs , not “group policies.”

B Permissions boundaries are useful to limit what an IAM principal/role can do within an account , but they are not the org-wide enforcement mechanism for “all accounts must stay in these Regions / use only these services.” That’s what SCPs do.

C AWS RAM is for sharing resources (like subnets, Transit Gateway, etc.), not for “sharing roles” across accounts as a governance baseline. Also, the question emphasizes identical permissions in each account, which is best achieved by provisioning roles in each account (StackSets), not attempting to “share” roles.

To meet the requirements, the DevOps team needs to configure a monitoring solution for the VPC flow logs that can detect anomalies in network traffic over time and initiate a response to the anomaly. The DevOps team can use Amazon Kinesis Data Streams to ingest and process streaming data from CloudWatch Logs. The DevOps team can subscribe the log group to a Kinesis data stream, which will deliver log events from CloudWatch Logs to Kinesis Data Streams in near real-time. The DevOps team can then create an AWS Lambda function to detect log anomalies using machine learning or statistical methods. The Lambda function can be set as a processor for the data stream, which means that it will process each record from the stream before sending it to downstream applications or destinations. The Lambda function can also write to the default Amazon EventBridge event bus if it detects an anomaly, which will allow other AWS services or custom applications to respond to the anomaly event.