Question 2

Question

A company uses an AWS CodeArtifact repository to store Python packages that the company
developed internally. A DevOps engineer needs to use AWS CodeDeploy to deploy an application to
an Amazon EC2 instance. The application uses a Python package that is stored in the CodeArtifact
repository. A BeforeInstall lifecycle event hook will install the package.
The DevOps engineer needs to grant the EC2 instance access to the CodeArtifact repository.
Which solution will meet this requirement?

Accepted Answer

Create an instance profile that contains an IAM role that has access to CodeArtifact. Associate the
instance profile with the EC2 instance. Use the aws codeartifact login CLI command on the instance.

Neha U. · Answer

Option D again with more AWS hoops to jump through just for package access, but that's their typical stance.

ThoughtfulArchitect9941 · Answer

Maybe B, since a resource-based policy can allow access from specific principals, and EC2 does have an identity. I think it feels more straightforward to just grant read permissions this way, but not 100% sure if CodeArtifact supports that for EC2 directly. D is definitely the official IAM play, though.

Maya · Answer

D . Using an instance profile with the right IAM permissions is the typical way for EC2 to hit CodeArtifact, plus aws codeartifact login. Not seeing how B would work for a direct EC2 principal. Anyone disagree?

EmmaD · Answer

D , since EC2 principal needs an instance profile unless the repo is accessed by something outside the account.

Karan · Answer

D. Resource-based policy (B) is a bit of a trap here-CodeArtifact doesn’t let you grant direct EC2 access that way. Instance profile plus aws codeartifact login is what AWS expects for this scenario, pretty sure. Disagree?

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE