Q: 4
A company is building a new pipeline by using AWS CodePipeline and AWS CodeBuild in a build
account. The pipeline consists of two stages. The first stage is a CodeBuild job to build and package
an AWS Lambda function. The second stage consists of deployment actions that operate on two
different AWS accounts a development environment account and a production environment account.
The deployment stages use the AWS Cloud Format ion action that CodePipeline invokes to deploy
the infrastructure that the Lambda function requires.
A DevOps engineer creates the CodePipeline pipeline and configures the pipeline to encrypt build
artifacts by using the AWS Key Management Service (AWS KMS) AWS managed key for Amazon S3
(the aws/s3 key). The artifacts are stored in an S3 bucket When the pipeline runs, the Cloud
Formation actions fail with an access denied error.
Which combination of actions must the DevOps engineer perform to resolve this error? (Select
TWO.)
Options
Discussion
Yeah, BE makes sense here. The aws/s3 managed key doesn't let you do cross-account decrypt, so option B's custom KMS key is needed. E is about updating the S3 bucket policy for those external roles. Pretty sure that's the fix but open to input if anyone disagrees.
B and E
Its BE, managed keys like aws/s3 can’t do cross-account so B is needed, not C.
BE tbh. You need a customer managed KMS key so you can grant decrypt to the roles (B), and updating the S3 bucket policy for those cross-account IAM roles is covered in E. AWS managed KMS keys like aws/s3 don't support cross-account decryption. Pretty sure this is the correct combo but open to corrections.
B/E? Using a customer managed KMS key (B) makes sense for controlling decrypt permissions, and E nails the IAM role plus S3 bucket policy part for cross-account CloudFormation. That's usually what AWS recommends, I think. Let me know if you see it differently!
Maybe B and E. Letting CloudFormation decrypt artifacts with a customer managed KMS key (B) is key here, and E covers bucket policy plus cross-account IAM setup for CloudFormation actions. Saw a similar scenario in practice exams, this lines up with best-practice permissions. Clear question layout!
B and E imo. Customer-managed KMS key is needed for cross-account decrypt, not the default aws/s3 one, so that's B. E covers updating the bucket policy to give those roles access. Seen this in official guides and labs, pretty sure these are both required. Anyone think something else applies?
Why does E work over D here if both use roles and permissions?
Its B and E here. The aws/s3 managed key doesn’t support cross-account decrypt, so you need a customer-managed KMS key (B). Then E is about setting up the S3 bucket policy for those cross-account roles. Seen this setup before, that’s usually what fixes it.
Option B and E, classic AWS gotcha with managed KMS keys not allowing cross-account decrypt. Gotta swap in a customer-managed key and update the bucket policy for those roles. Happens a lot in practice exams, pretty sure that's right.
Be respectful. No spam.
