Q29 — AWS DOP-C02 Ch.2
Question 29 of 100 | ← Chapter 2
A company uses an AWS CodeArtifact repository to store Python packages developed internally. A DevOps engineer needs to use AWS CodeDeploy to deploy an application to Amazon EC2 instances. The application depends on Python packages stored in the CodeArtifact repository. The BeforeInstall lifecycle event hook will install the package. The DevOps engineer needs to grant the EC2 instances permissions to access the CodeArtifact repository. Which solution meets this requirement?
- A. Create a service-linked role for CodeArtifact and associate the role with the EC2 instances. Use the aws codeartifact get-authorization-token CLI command on the instances.
- B. Configure a resource-based policy on the CodeArtifact repository to allow the EC2 instance principal to perform the ReadFromRepository action.
- C. Configure an ACL on the CodeArtifact repository to allow EC2 instances to access the Python packages.
- D. Create an instance profile containing an IAM role with permissions to access CodeArtifact. Associate the instance profile with the EC2 instances. Use the aws codeartifact login CLI command on the instances. ✓
Correct Answer: D. Create an instance profile containing an IAM role with permissions to access CodeArtifact. Associate the instance profile with the EC2 instances. Use the aws codeartifact login CLI command on the instances.
Explanation
In AWS permission management, EC2 instances typically access other AWS services via IAM roles and instance profiles. AWS documentation states that CodeArtifact authentication is controlled through IAM policies; after granting permissions to EC2 instances via an instance profile, the `aws codeartifact login` command generates temporary credentials. Option A’s service-linked role is not applicable for direct CodeArtifact calls from EC2 instances; option B’s resource-based policy is not supported for CodeArtifact, as its permissions rely primarily on IAM policies; option C’s ACLs are not a valid permission mechanism for CodeArtifact. Option D aligns with AWS best practices by correctly configuring an instance profile and using the CLI to obtain tokens.