Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 110

A company uses AWS CodeArtifact to centrally store Python packages. The CodeArtifact repository is configured with the following repository policy:

A development team is building a new project in an account that is in an organization in AWS Organizations. The development team wants to use a Python library that has already been stored in the CodeArtifact repository in the organization. The development team uses AWS CodePipeline and AWS CodeBuild to build the new application. The CodeBuild job that the development team uses to build the application is configured to run in a VPC. Because of compliance requirements, the VPC has no internet connectivity.

The development team creates the VPC endpoints for CodeArtifact and updates the CodeBuild buildspec.yaml file. However, the development team cannot download the Python library from the repository.

Which combination of steps should a DevOps engineer take so that the development team can use CodeArtifact? (Choose two.)

Create an Amazon S3 gateway endpoint. Update the route tables for the subnets that are running the CodeBuild job.

Update the repository policy’s Principal statement to include the ARN of the role that the CodeBuild project uses.

Share the CodeArtifact repository with the organization by using AWS Resource Access Manager (AWS RAM).

Update the role that the CodeBuild project uses so that the role has sufficient permissions to use the CodeArtifact repository.

Specify the account that hosts the repository as the delegated administrator for CodeArtifact in the organization.

Correct Answer: B, D

To ensure the development team can use CodeArtifact, the DevOps engineer should update the role that the CodeBuild project uses so that the role has sufficient permissions to use the CodeArtifact repository. This ensures that CodeBuild can access the repository. Additionally, even though the repository policy appears to allow access to members within the organization, explicitly including the ARN of the role that the CodeBuild project uses in the Principal statement can help ensure that permissions are correctly applied. This covers any potential gaps in policy configuration or inheritance issues.

Discussion

TroyMcLureOptions: AD

I guess the answer is AD because of this: "AWS CodeArtifact operates in multiple Availability Zones and stores artifact data and metadata in Amazon S3 and Amazon DynamoDB. Your encrypted data is redundantly stored across multiple facilities and multiple devices in each facility, making it highly available and highly durable." https://aws.amazon.com/codeartifact/features/ With no internet connectivity, a gateway endpoint becomes necessary to access S3.

Arnaud92

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html It clearly state that you need to create a S3 endpoint to use codeartifact in a private network.

vortegon

An Amazon S3 endpoint is not needed when using Python or Swift package formats.

syh_rapha

When this question was created, there was no exception for Python and Swift packages. You can check this using the Wayback machine: https://web.archive.org/web/20230521063821/https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html Considering that it's very common to have outdated questions in the exam, I'd say this is one those cases. So yeah, I'll also go with AD (also because B is not needed since the repository policy is already allowing the entire org).

RVivek

A- incorrect because the question says Devops engineers careted VPC endpoints for CodeArtifact

RVivek

AD even though Devops engineer created a CodeArtifcat still a S3 end point is required

Venki_dev

note here says "An Amazon S3 endpoint is not needed when using Python or Swift package formats." https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

2pkOptions: BD

BD correct, A is incorrect because creating an Amazon S3 gateway endpoint is not required to enable connectivity to CodeArtifact. S3 endpoints are used to enable private communication to S3 buckets within a VPC, but they are not related to CodeArtifact.

BaburTurk

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html CodeArtifact uses Amazon Simple Storage Service (Amazon S3) to store package assets. To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3. When your build or deployment process downloads packages from CodeArtifact, it must access CodeArtifact to get package metadata and Amazon S3 to download package assets (for example, Maven .jar files). To create the Amazon S3 gateway endpoint for CodeArtifact, use the Amazon EC2 create-vpc-endpoint AWS CLI command. When you create the endpoint, you must select the route tables for your VPC

c3518fcOptions: BD

The issue here is policy update as the developers have already enabled VPC endpoint (CodeArtifact uses Amazon Simple Storage Service (Amazon S3) to store package assets. To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3. When your build or deployment process downloads packages from CodeArtifact, it must access CodeArtifact to get package metadata and Amazon S3 to download package assets (for example, Maven .jar files). Note An Amazon S3 endpoint is not needed when using Python or Swift package formats. To create the Amazon S3 gateway endpoint for CodeArtifact, use the Amazon EC2 create-vpc-endpoint AWS CLI command. When you create the endpoint, you must select the route tables for your VPC. For more information, see Gateway VPC Endpoints in the Amazon Virtual Private Cloud User Guide.)

c3518fc

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

dkpOptions: BD

ANS B&D CodeArtifact uses Amazon Simple Storage Service (Amazon S3) to store package assets. To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3. When your build or deployment process downloads packages from CodeArtifact, it must access CodeArtifact to get package metadata and Amazon S3 to download package assets (for example, Maven .jar files). Note An Amazon S3 endpoint is not needed when using Python or Swift package formats.

thanhnv142

C and D:<the development team cannot download the Python library from the repository.> indicates insufficient permission or network problem A: irrelevant B: principal is already * for everyone, including the ARN of the codebuild role E: irrelevant

xdkonorek2Options: BD

as for A: "To pull packages from CodeArtifact, you must create a gateway endpoint for Amazon S3." but... "Note - An Amazon S3 endpoint is not needed when using Python or Swift package formats." https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

WhyIronManOptions: AD

A,D are correct

kyuhuckOptions: AD

'ad' correct = 'AWS codeartiface' operates in multiple availability zones and stores artiface data and metadata in amazon s3 and amazon dynamoDB your encrypted data is redundanly stored across myltiple facilities and multiple devices in each facility, marking it highly availiable and highly durable...

vortegonOptions: BD

https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html An Amazon S3 endpoint is not needed when using Python or Swift package formats.

abdulwahab_sysops

AD https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

AWSdeveloper08Options: BD

B - This could be valid. If the CodeBuild job doesn’t have permission to access the CodeArtifact repository because of the repository policy, updating the policy to include the CodeBuild role ARN in the Principal statement could solve the access issue. D- If the role used by AWS CodeBuild does not have the necessary IAM permissions to access CodeArtifact, updating the role to grant these permissions might resolve the issue. Ensuring that the IAM role has the codeartifact:DescribePackageVersion, codeartifact:GetPackageVersionReadme, codeartifact:GetRepositoryEndpoint, codeartifact:ListPackageVersions, and codeartifact:ReadFromRepository permissions could be essential.

2pk

B is incorrect- The policy clearly indicate that the permission is given to all the resources access within the Org-ID. So this is not needed

c3518fc

Goes the policy have an ARN permission?

Jeanphi72Options: AD

https://aws.amazon.com/codeartifact/features/

Venki_devOptions: BD

BD note here says "An Amazon S3 endpoint is not needed when using Python or Swift package formats." https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html

zijoOptions: CD

C is needed if the codeartifact and codebuild are in different organization accounts, AWS RAM is a service that allows you to share AWS resources with other AWS accounts within your organization. AWS RAM can be used to share CodeArtifact resources across different accounts. A is not needed you do not need an S3 gateway as a VPC endpoint specifically for using AWS CodeArtifact with Python packages. AWS CodeArtifact itself manages the storage and retrieval of packages, and it uses its own service endpoints for these operations. D is needed for Ensure the IAM role used by CodeBuild has permissions to access CodeArtifact B is not needed Here it is not required because the CodeArtifact policy has Principal as *

that1guyOptions: CD

C and D A - S3 gateway endpoint is not required for Python: https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html B - Principal is already "*".

vn_thanhtung

Pls Read link https://docs.aws.amazon.com/ram/latest/userguide/shareable.html

seetptOptions: AD

AD because Principal is already "*".

RVivekOptions: BD

A- incorrect because the question says Devops engineers careted VPC endpoints for CodeArtifact B- Required to set the Codeartifcat persmissions C - ARM not reuired D - Crrect IArole permssin to be ccked E-- incorrect

RVivek

AD even though Devops engineer created a CodeArtifcat still a S3 end point is required