AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 221

A company deploys an application on on-premises devices in the company’s on-premises data center. The company uses an AWS Direct Connect connection between the data center and the company's AWS account. During initial setup of the on-premises devices and during application updates, the application needs to retrieve configuration files from an Amazon Elastic File System (Amazon EFS) file system.

All traffic from the on-premises devices to Amazon EFS must remain private and encrypted. The on-premises devices must follow the principle of least privilege for AWS access. The company's DevOps team needs the ability to revoke access from a single device without affecting the access of the other devices.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Create an IAM user that has an access key and a secret key for each device. Attach the AmazonElasticFileSystemFullAccess policy to all IAM users. Configure the AWS CLI on the on-premises devices to use the IAM user's access key and secret key.
• B. Generate certificates for each on-premises device in AWS Private Certificate Authority. Create a trust anchor in IAM Roles Anywhere that references an AWS Private CA. Create an IAM role that trust IAM Roles Anywhere. Attach the AmazonElasticFileSystemClientReadWriteAccess to the role. Create an IAM Roles Anywhere profile for the IAM role. Configure the AWS CLI on the on-premises devices to use the aws_signing_helper command to obtain credentials.
• C. Create an IAM user that has an access key and a secret key for all devices. Attach the AmazonElasticFileSystemClientReadWriteAccess policy to the IAM user. Configure the AWS CLI on the on-premises devices to use the IAM user's access key and secret key.
• D. Use the amazon-efs-utils package to mount the EFS file system.
• E. Use the native Linux NFS client to mount the EFS file system.

Correct answer: B, D

Explanation

Option B is correct because it uses AWS Private Certificate Authority and IAM Roles Anywhere to securely manage access and allows for fine-grained control over the permissions of each device, adhering to the principle of least privilege. Option D is also correct as it provides a method to mount the EFS file system securely. Options A and C are incorrect since they do not offer the required granular access control and would make it difficult to revoke access from a single device without affecting others.