AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 381

A company uses an AWS CodeArtifact repository to store Python packages that the company developed internally. A DevOps engineer needs to use AWS CodeDeploy to deploy an application to an Amazon EC2 instance. The application uses a Python package that is stored in the CodeArtifact repository. A BeforeInstall lifecycle event hook will install the package.

The DevOps engineer needs to grant the EC2 instance access to the CodeArtifact repository.

Which solution will meet this requirement?

Answer options

• A. Create a service-linked role for CodeArtifact. Associate the role with the EC2 instance. Use the aws codeartifact get-authorization-token CLI command on the instance.
• B. Configure a resource-based policy for the CodeArtifact repository that allows the ReadFromRepository action for the EC2 instance principal.
• C. Configure ACLs on the CodeArtifact repository to allow the EC2 instance to access the Python package.
• D. Create an instance profile that contains an IAM role that has access to CodeArtifact. Associate the instance profile with the EC2 instance. Use the aws codeartifact login CLI command on the instance.

Correct answer: D

Explanation

To allow an Amazon EC2 instance to fetch packages from an AWS CodeArtifact repository, the instance must be associated with an IAM role via an instance profile that grants CodeArtifact permissions. Additionally, the instance must authenticate with CodeArtifact, which is achieved by running the 'aws codeartifact login' CLI command to configure the local package manager (such as pip) with the correct repository credentials. CodeArtifact does not use traditional ACLs, and service-linked roles cannot be directly assigned to EC2 instances for this purpose.