Q: 4
A company is building a new pipeline by using AWS CodePipeline and AWS CodeBuild in a build
account. The pipeline consists of two stages. The first stage is a CodeBuild job to build and package
an AWS Lambda function. The second stage consists of deployment actions that operate on two
different AWS accounts a development environment account and a production environment account.
The deployment stages use the AWS Cloud Format ion action that CodePipeline invokes to deploy
the infrastructure that the Lambda function requires.
A DevOps engineer creates the CodePipeline pipeline and configures the pipeline to encrypt build
artifacts by using the AWS Key Management Service (AWS KMS) AWS managed key for Amazon S3
(the aws/s3 key). The artifacts are stored in an S3 bucket When the pipeline runs, the Cloud
Formation actions fail with an access denied error.
Which combination of actions must the DevOps engineer perform to resolve this error? (Select
TWO.)
Options
Discussion
B/E? Using a customer managed KMS key (B) makes sense for controlling decrypt permissions, and E nails the IAM role plus S3 bucket policy part for cross-account CloudFormation. That's usually what AWS recommends, I think. Let me know if you see it differently!
Maybe B and E. Letting CloudFormation decrypt artifacts with a customer managed KMS key (B) is key here, and E covers bucket policy plus cross-account IAM setup for CloudFormation actions. Saw a similar scenario in practice exams, this lines up with best-practice permissions. Clear question layout!
Be respectful. No spam.
