Answer-first summary for fast verification
Answer: Create a customer managed KMS key. Configure the KMS key policy to allow the IAM roles used by the CloudFormation action to perform decrypt operations. Modify the pipeline to use the customer managed KMS key to encrypt artifacts., In the development account and in the production account, create an IAM role for CodePipeline. Configure the roles with permissions to perform CloudFormation operations and with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In the CodePipeline account, modify the artifacts S3 bucket policy to allow the roles access. Configure the CodePipeline CloudFormation action to use the roles.
The correct answers are B and E. AWS managed KMS keys cannot be modified to allow cross-account access, which means that artifacts encrypted with an AWS managed key cannot be accessed by other AWS accounts. Therefore, option C is incorrect. Option B involves creating a customer managed KMS key and configuring the key policy to allow the necessary IAM roles to decrypt the artifacts, which resolves the encryption issue. Additionally, in option E, IAM roles need to be created in both the development and production accounts with the necessary permissions to perform CloudFormation operations and access the artifacts. The S3 bucket policy must also be modified to allow these roles to access the S3 bucket where artifacts are stored. Together, these actions ensure that the CloudFormation actions in the deployment stages can successfully access and decrypt the artifacts, resolving the access denied error.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is constructing a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild within a dedicated build account. This pipeline comprises two stages: the initial stage involves a CodeBuild job responsible for building and packaging an AWS Lambda function, while the second stage involves deployment actions across two distinct AWS accounts representing a development environment and a production environment. These deployment stages leverage AWS CloudFormation actions initiated by CodePipeline to deploy the necessary infrastructure for the Lambda function. The pipeline is set up to encrypt build artifacts using the AWS Key Management Service (AWS KMS) with the AWS-managed key for Amazon S3 (aws/s3 key), and these artifacts are stored in an S3 bucket. Despite these configurations, when the pipeline executes, the CloudFormation actions encounter an access denied error. What steps must the DevOps engineer undertake to rectify this issue?
A
Create an S3 bucket in each AWS account for the artifacts. Allow the pipeline to write to the S3 buckets. Create a CodePipeline S3 action to copy the artifacts to the S3 bucket in each AWS account. Update the CloudFormation actions to reference the artifacts S3 bucket in the production account.
B
Create a customer managed KMS key. Configure the KMS key policy to allow the IAM roles used by the CloudFormation action to perform decrypt operations. Modify the pipeline to use the customer managed KMS key to encrypt artifacts.
C
Create an AWS managed KMS key. Configure the KMS key policy to allow the development account and the production account to perform decrypt operations. Modify the pipeline to use the KMS key to encrypt artifacts.
D
In the development account and in the production account, create an IAM role for CodePipeline. Configure the roles with permissions to perform CloudFormation operations and with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In the CodePipeline account, configure the CodePipeline CloudFormation action to use the roles.
E
In the development account and in the production account, create an IAM role for CodePipeline. Configure the roles with permissions to perform CloudFormation operations and with permissions to retrieve and decrypt objects from the artifacts S3 bucket. In the CodePipeline account, modify the artifacts S3 bucket policy to allow the roles access. Configure the CodePipeline CloudFormation action to use the roles.