Q33 — AWS DOP-C02 Ch.3
Question 33 of 100 | ← Chapter 3
A company has containerized all its internal applications. The company runs Jenkins on Amazon EC2 instances, which require patching and upgrading. A compliance officer has directed the DevOps engineer to begin encrypting build artifacts, as they contain the company's intellectual property.
- A. Use AWS Systems Manager to automatically patch and upgrade EC2 instances by default, and encrypt Amazon EBS volumes.
- B. Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with default encryption enabled.
- C. Leverage AWS CodePipeline for build operations and use AWS Secrets Manager to encrypt artifacts.
- D. Replace the Jenkins instance running on EC2 with AWS CodeBuild, which includes artifact encryption. ✓
Correct Answer: D. Replace the Jenkins instance running on EC2 with AWS CodeBuild, which includes artifact encryption.
Explanation
AWS documentation states that AWS CodeBuild, as a fully managed service, includes built-in encryption for build artifacts. Option D replaces the self-managed Jenkins instance with CodeBuild, directly leveraging its default AES-256 encryption mechanism for build artifacts, satisfying the 'least maintenance effort' principle of serverless architecture. Option A addresses only infrastructure-level encryption, not application-layer data. Option B introduces extra storage steps and complexity. Option C misuses AWS Secrets Manager, which is designed for credential management—not file encryption. Correct answer D achieves automated encryption through service replacement, meeting the core requirement of 'easiest maintenance'.