Q37 — AWS DOP-C02 Ch.1
Question 37 of 100 | ← Chapter 1
A company stores application source code based on a tiered architecture in AWS CodeCommit. The company deploys applications using AWS CodePipeline. The CodeCommit repository and CodePipeline are deployed in the same AWS account. The company’s security team requires scanning all code for vulnerabilities before deployment to production. If any vulnerabilities are found, deployment must halt.
- A. Create a new CodeBuild project. Configure the project to run a security scan using Amazon CodeGuru Security. Configure the CodeBuild project to fail if CodeGuru Security detects vulnerabilities. Create a new IAM role with sufficient permissions to run CodeGuru Security scans and assign it to the CodeBuild project. In the pipeline, add a new stage before the deploy stage. Select AWS CodeBuild as the action provider for the new stage. Use source artifacts from the CodeCommit repository and configure the action to use the CodeBuild project. ✓
- B. Create a new CodeBuild project. Configure the project to use Amazon Inspector for security scanning. Configure the CodeBuild project to fail if Amazon Inspector detects vulnerabilities. Create a new IAM role with sufficient permissions to run Amazon Inspector scans and assign it to the CodeBuild project. In the pipeline, add a new stage before the deploy stage. Select AWS CodeBuild as the action provider for the new stage. Use source artifacts from the CodeCommit repository and configure the action to use the CodeBuild project.
- C. Update the IAM role attached to CodePipeline to include sufficient permissions to invoke Amazon DevOps Guru. In the pipeline, add a new stage before the deploy stage. Select Amazon DevOps Guru as the action provider for the new stage. Use source artifacts from the CodeCommit repository.
- D. Update the IAM role attached to CodePipeline to include sufficient permissions to invoke Amazon DevOps Guru. In the pipeline, add a new stage before the deploy stage. Select Amazon CodeGuru Security as the action provider for the new stage. Use source artifacts from the CodeCommit repository.
Correct Answer: A. Create a new CodeBuild project. Configure the project to run a security scan using Amazon CodeGuru Security. Configure the CodeBuild project to fail if CodeGuru Security detects vulnerabilities. Create a new IAM role with sufficient permissions to run CodeGuru Security scans and assign it to the CodeBuild project. In the pipeline, add a new stage before the deploy stage. Select AWS CodeBuild as the action provider for the new stage. Use source artifacts from the CodeCommit repository and configure the action to use the CodeBuild project.
Explanation
Amazon CodeGuru Security is designed for static application security testing (SAST) of source code and integrates natively with AWS CodeBuild and CodePipeline. Option A correctly configures CodeBuild to execute CodeGuru Security scans during the build phase and fails the build on vulnerability detection—blocking deployment. Amazon Inspector assesses running workloads, not source code; DevOps Guru focuses on operational insights and anomaly detection—not code vulnerability scanning. Options C and D incorrectly treat DevOps Guru or CodeGuru Security as direct pipeline action providers, bypassing the required CodeBuild execution context and failure handling.