DOP-C02 · Question #144
DOP-C02 Question #144: Real Exam Question with Answer & Explanation
The correct answer is B: Update the CodeBuild project role with the necessary permissions and then remove the AWS. Explanation Options B, C, and E align with AWS security best practices for protecting credentials and managing remote access securely. B is correct because hardcoding AWS credentials in a buildspec.yaml file is a critical security risk - the CodeBuild service role should be grant
Question
A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml file for an AWS CodeBuild project and provide recommendations. The buildspec.yaml file is configured as follows: What changes should be recommended to comply with AWS security best practices? (Choose three.)
Options
- AAdd a post-build command to remove the temporary files from the container before termination to
- BUpdate the CodeBuild project role with the necessary permissions and then remove the AWS
- CStore the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and
- DMove the environment variables to the 'db-deploy-bucket' Amazon S3 bucket, add a prebuild stage to
- EUse AWS Systems Manager run command versus scp and ssh commands directly to the instance.
- FScramble the environment variables using XOR followed by Base64, add a section to install, and then
Explanation
Explanation
Options B, C, and E align with AWS security best practices for protecting credentials and managing remote access securely. B is correct because hardcoding AWS credentials in a buildspec.yaml file is a critical security risk - the CodeBuild service role should be granted the necessary IAM permissions, eliminating the need for static access keys entirely. C is correct because sensitive values like DB_PASSWORD should never appear as plaintext in buildspec files; storing them as SecureString in AWS Systems Manager Parameter Store encrypts them at rest and allows CodeBuild to retrieve them securely at runtime. E is correct because using AWS Systems Manager Session Manager or Run Command avoids opening SSH ports and eliminates the need to manage SSH keys, significantly reducing the attack surface.
Why the distractors are wrong:
- A - Removing temp files from a container before termination is a minor housekeeping task, not a meaningful security fix for the issues identified.
- D - Storing environment variables in an S3 bucket does not provide the same encryption, access control, and audit trail as Parameter Store or Secrets Manager.
- F - XOR + Base64 encoding is not encryption - it provides no real security and is a classic security anti-pattern ("security through obscurity").
Memory Tip
Think "No Keys, No Plaintext, No SSH" - use IAM roles instead of access keys, Parameter Store for secrets, and SSM instead of direct SSH connections.
Topics
Community Discussion
No community discussion yet for this question.