Last Attempt DOP-C02 Questions

These are the possible causes for the AccessDenied error because they affect the permissions to access the S3 object from the EC2 instance. An S3 bucket policy is a resource-based policy that defines who can access the bucket and its objects, and what actions they can perform. An IAM role is an identity that can be assumed by an EC2 instance to grant it permissions to access AWS services and resources. If there is an error in the S3 bucket policy or the IAM role configuration, such as a missing or incorrect statement, condition, or principal, then the EC2 instance may not have the necessary permissions to download the object from the S3 bucket .

Running unit tests in the build phase and aborting on failure (OnFailure=ABORT) prevents deployment if tests fail.

AWS CDK assertions module provides programmatic unit tests against synthesized templates (Option D).

The --rollback flag relates to CloudFormation stack rollback, not test gating.

The --require-approval flag controls manual approvals, not test outcomes.

cdk diff checks for changes but is not a unit test and may not catch logical errors.

Configure the Systems Manager Document to Use the aws-downloadContent Plugin with a sourceType of GitHub and sourcelnfo with the Repository Details:

The aws-downloadContent plugin can download content from various sources, including GitHub, which is necessary for bootstrapping the laptops with the code stored in the GitHub repository.

schemaVersion: ' 2.2 '

description: " Download and run bootstrap script from GitHub "

mainSteps:

- action: aws:downloadContent

name: downloadBootstrapScript

inputs:

sourceType: GitHub

sourceInfo: ' { " owner " : " my-org " , " repository " : " my-repo " , " path " : " scripts/bootstrap.sh " , " getOptions " : " branch:main " } '

destinationPath: /tmp/bootstrap.sh

- action: aws:runShellScript

name: runBootstrapScript

inputs:

runCommand:

- chmod +x /tmp/bootstrap.sh

- /tmp/bootstrap.sh

This setup ensures that the bootstrap code is downloaded from GitHub and executed on the laptops using Systems Manager.

The problem has two distinct requirements: securely managing rotating external API credentials and encrypting CodeBuild artifacts with a specific KMS key.

For credentials that must be reset each month and are sensitive, AWS Secrets Manager is the appropriate service, not Parameter Store. Secrets Manager provides built-in support for secret rotation, versioning, access control, and auditability. The external API credentials can be updated monthly either manually or via an automated rotation Lambda. CodeBuild can read the secret at build time by assuming an IAM role that allows secretsmanager:GetSecretValue .

To encrypt CodeBuild outputs, the correct pattern is to set the CODEBUILD_KMS_KEY_ID environment variable (or CodeBuild project setting) to the desired KMS key. The CodeBuild IAM service role must be granted kms:Encrypt , kms:Decrypt , and related actions on that KMS key via the key policy or IAM policy. This ensures build artifacts and logs are encrypted using the specified customer managed key.

Option C captures both requirements precisely: store credentials in Secrets Manager and update the KMS key policy for the CodeBuild role , not the CodePipeline role. Options A and B misuse Parameter Store and/or the wrong IAM principal. Option D updates the wrong role and does not connect the KMS key to CodeBuild’s artifact encryption.