Q92 — AWS DOP-C02 Ch.1

Question 92 of 100 | ← Chapter 1

To run an application, a DevOps engineer launches Amazon EC2 instances with public IP addresses in a public subnet. A user data script fetches application artifacts and installs them on the instance during launch. A new security classification requirement mandates that instances operate without internet access. Although instances launch successfully and appear healthy, the application appears not to install.

Correct Answer: C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instance to allow reading from the S3 bucket.

Explanation

This question tests secure retrieval of application artifacts on EC2 instances with no internet access. AWS documentation states that VPC endpoints enable private connectivity from a VPC to supported AWS services (e.g., S3) without traversing the public internet. Option C leverages an S3 VPC endpoint and IAM instance profile to grant secure, private access to artifacts—fully satisfying the no-internet-access requirement. Options A and B still permit internet access (via public IP or NAT gateway). Option D does not resolve routing and assumes external repository accessibility, violating the constraint. Correct answer C uses native AWS private networking and least-privilege IAM authorization.