Q92 — AWS DOP-C02 Ch.1
Question 92 of 100 | ← Chapter 1
To run an application, a DevOps engineer launches Amazon EC2 instances with public IP addresses in a public subnet. A user data script fetches application artifacts and installs them on the instance during launch. A new security classification requirement mandates that instances operate without internet access. Although instances launch successfully and appear healthy, the application appears not to install.
- A. Launch the instance in a public subnet with an Elastic IP address. After the application installs and runs, run a script to disassociate the Elastic IP address.
- B. Set up a NAT gateway. Deploy the EC2 instance into a private subnet. Update the private subnet’s route table to use the NAT gateway as the default route.
- C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instance to allow reading from the S3 bucket. ✓
- D. Create a security group for the application instance that allows outbound traffic only to the artifact repository. Remove the security group rules after installation.
Correct Answer: C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instance to allow reading from the S3 bucket.
Explanation
This question tests secure retrieval of application artifacts on EC2 instances with no internet access. AWS documentation states that VPC endpoints enable private connectivity from a VPC to supported AWS services (e.g., S3) without traversing the public internet. Option C leverages an S3 VPC endpoint and IAM instance profile to grant secure, private access to artifacts—fully satisfying the no-internet-access requirement. Options A and B still permit internet access (via public IP or NAT gateway). Option D does not resolve routing and assumes external repository accessibility, violating the constraint. Correct answer C uses native AWS private networking and least-privilege IAM authorization.