AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 28

To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?

Answer options

• A. Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
• B. Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
• C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
• D. Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.

Correct answer: C

Explanation

Option C is correct because it allows the EC2 instances to access the application artifacts stored in S3 without requiring internet access, by using a VPC endpoint. Option A does not comply with the no-internet access requirement after installation, and Option B would still require internet access for the NAT gateway. Option D allows temporary internet access, which contradicts the new rule of no internet access.