When you create a pipeline from CodePipeline during the step-by-step it creates a CloudWatch Event

rule for a given branch and repo

like this:

{

"source": [

"aws.codecommit"

],

"detail-type": [

"CodeCommit Repository State Change"

],

"resources": [

"arn:aws:codecommit:us-east-1:xxxxx:repo-name"

],

"detail": {

"event": [

"referenceCreated",

"referenceUpdated"

],

"referenceType": [

"branch"

],

"referenceName": [

"master"

]

}

}

https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-trigger-source-repochanges-console.html

Comprehensive and Detailed Explanation From Exact Extract:

To allow an EC2 instance to access CodeArtifact, an IAM role attached via an instance profile must be

granted permissions to access the CodeArtifact repository. The EC2 instance assumes this role.

The instance then uses the AWS CLI command aws codeartifact login to authenticate and configure

the package manager (e.g., pip) to use the CodeArtifact repository. This command obtains an

authorization token and sets up repository credentials securely on the instance.

Service-linked roles (Option A) are managed by AWS services, not used for instance access.

CodeArtifact does not support ACLs (Option C), and resource-based policies (Option B) do not grant

access to EC2 instances by principal.

This method is standard for securely managing credentials and access to CodeArtifact in automated

deployments.

Reference:

AWS CodeArtifact Access Control and Authentication:

"Use IAM roles attached to compute resources and the aws codeartifact login command to

authenticate to repositories."

(AWS CodeArtifact Developer Guide)

Option A is incorrect because setting the deployment configuration to LambdaAllAtOnce means that

the new version of the application will be deployed to all Lambda functions at once, affecting all

customers. This does not meet the requirement of affecting the fewest customers possible.

Moreover, configuring automatic rollbacks on the deployment group is not operationally efficient, as

it requires manual intervention to fix the errors and redeploy the application.

Option B is correct because setting the deployment configuration to

LambdaCanary10Percent10Minutes means that the new version of the application will be deployed

to 10 percent of the Lambda functions first, and then to the remaining 90 percent after 10 minutes.

This minimizes the impact of errors on customers, as only 10 percent of them will be affected by a

faulty deployment. Configuring automatic rollbacks on the deployment group also meets the

requirement of reverting to the most recent stable version of the application when an error is

detected. Creating a CloudWatch alarm that detects HTTP Bad Gateway errors on API Gateway is a

valid way to monitor the health of the application and trigger a rollback if needed.

Option C is incorrect because setting the deployment configuration to LambdaAllAtOnce means that

the new version of the application will be deployed to all Lambda functions at once, affecting all

customers. This does not meet the requirement of affecting the fewest customers possible.

Moreover, configuring manual rollbacks on the deployment group is not operationally efficient, as it

requires human intervention to stop the current deployment and start a new one. Creating an SNS

topic to send notifications every time a deployment fails is not sufficient to detect errors in the

application, as it does not monitor the API Gateway responses.

Option D is incorrect because configuring manual rollbacks on the deployment group is not

operationally efficient, as it requires human intervention to stop the current deployment and start a

new one. Creating a metric filter on a CloudWatch log group for API Gateway to monitor HTTP Bad

Gateway errors is a valid way to monitor the health of the application, but invoking a new Lambda

function to perform a rollback is unnecessary and complex, as CodeDeploy already provides

automatic rollback functionality.

AWS CodeDeploy Deployment Configurations

[AWS CodeDeploy Rollbacks]

Amazon CloudWatch Alarms

:

:

:

The requirement is to create automation that deletes unattached EBS volumes that have been

unattached for 14 days. To do this, the DevOps engineer needs to use the following steps:

Create an Amazon CloudWatch Events rule to execute an AWS Lambda function daily. CloudWatch

Events is a service that enables event-driven architectures by delivering events from various sources

to targets. Lambda is a service that lets you run code without provisioning or managing servers. By

creating a CloudWatch Events rule that executes a Lambda function daily, the DevOps engineer can

schedule a recurring task to check and delete unattached EBS volumes.

The Lambda function should find unattached EBS volumes and tag them with the current date, and

delete unattached volumes that have tags with dates that are more than 14 days old. The Lambda

function can use the EC2 API to list and filter unattached EBS volumes based on their state and tags.

The function can then tag each unattached volume with the current date using the create-tags

command. The function can also compare the tag value with the current date and delete any

unattached volume that has been tagged more than 14 days ago using the delete-volume command.

Option A is incorrect because S3 event notifications do not support s3.ObjectTagging:Put events. S3

event notifications only support events related to object creation, deletion, replication, and restore.

Moreover, enabling bucket versioning on the S3 bucket is not relevant to the tagging requirements,

as it only keeps multiple versions of objects in the bucket.

Option B is incorrect because enabling server access logging on the S3 bucket does not help with

tagging the resources. Server access logging only records requests for access to the bucket or its

objects. It does not capture the user ID or the cost center ID of the resources. Furthermore, creating

an S3 event notification on the S3 bucket for s3.ObjectTagging:Put events is not possible, as

explained in option A.

Option C is incorrect because creating a recurring hourly Amazon EventBridge scheduled rule that

invokes the Lambda function is not efficient or timely. The Lambda function would have to read the

logs from the S3 bucket every hour and tag the resources accordingly, which could incur unnecessary

costs and delays. A better solution would be to trigger the Lambda function as soon as a resource is

created, rather than waiting for an hourly schedule.

Option D is correct because creating an Amazon EventBridge rule that uses Amazon EC2 as the event

source and matches events delivered by CloudTrail is a valid way to tag the resources. CloudTrail

records all API calls made to AWS services, including EC2, and delivers them as events to

EventBridge. The EventBridge rule can filter the events based on the user ID and the resource type,

and then target the Lambda function to tag the resources with the cost center ID. This solution meets

the tagging requirements in a timely and efficient manner.

S3 event notifications

Server access logging

Amazon EventBridge rules

AWS CloudTrail

"You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and

have it delivered to other services such as an Amazon Kinesis stream, an Amazon Kinesis Data

Firehose stream, or AWS Lambda for custom processing, analysis, or loading to other systems. When

log events are sent to the receiving service, they are Base64 encoded and compressed with the gzip

format." See https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html

https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structurehooks.html