Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 129

A DevOps engineer is working on a project that is hosted on Amazon Linux and has failed a security review. The DevOps manager has been asked to review the company buildspec.yaml file for an AWS CodeBuild project and provide recommendations. The buildspec.yaml file is configured as follows:

What changes should be recommended to comply with AWS security best practices? (Choose three.)

Add a post-build command to remove the temporary files from the container before termination to ensure they cannot be seen by other CodeBuild users.

Update the CodeBuild project role with the necessary permissions and then remove the AWS credentials from the environment variable.

Store the DB_PASSWORD as a SecureString value in AWS Systems Manager Parameter Store and then remove the DB_PASSWORD from the environment variables.

Move the environment variables to the ‘db-deploy-bucket’ Amazon S3 bucket, add a prebuild stage to download, then export the variables.

Use AWS Systems Manager run command versus scp and ssh commands directly to the instance.

Scramble the environment variables using XOR followed by Base64, add a section to install, and then run XOR and Base64 to the build phase.

Correct Answer: B, C, E

To comply with AWS security best practices for the CodeBuild project, the following actions should be taken: Remove the AWS credentials from the environment variable and update the CodeBuild project role with the necessary permissions to minimize exposure of sensitive access keys. Store the DB_PASSWORD as a SecureString in AWS Systems Manager Parameter Store to secure sensitive data and remove it from the build environment. Use AWS Systems Manager run command rather than direct scp and ssh commands, which provides more secure and auditable interactions with the instance.

Discussion

WhyIronManOptions: BCE

BCE is correct A is WRONG. CodeBuild does not keep files for next builds in that way, once the build is done, the files will be deleted.

sb333Options: BCE

BCE are the correct answers.

zain1258Options: BCE

It's BCE. A is wrong. I don't think there is any concept of `CodeBuild users`.

devnv

Sorry, I've read again and it's AB & C.

2pk

I think its A, B & C

Diego1414Options: ABC

ABC seems appropriate, since the emphasis is on security.

thanhnv142Options: ABC

ABC are correct: security best practices are related to removing credentials and sensitive data - A remove temporary files is important because they might contain sensitive data - B: <remove the AWS credentials> is removing the access key - C: <remove the DB_PASSWORD> means removing hardcoded DB_PASSWORD All other options dont relate to senstive data or password

Certified101Options: BCE

BCE are the correct ones.

FunkyFrescoOptions: BCE

BCE are the correct ones.

ParagSanyashivOptions: BCE

BCE is correct

ericphlOptions: ABC

ABC seems right.

ajeeshbOptions: ABC

A - Cleans up temp files that stores the my.cnf and the instance key files B - Removes hardcoded AWS credentials C - Securely stores DB password

sarlos

its BCE https://stackoverflow.com/questions/76854227/i-want-to-copy-files-to-aws-ec2-using-buildspec-yml-file-the-22-port-is-open-fo

buiquangbk90

BCE https://www.examtopics.com/discussions/amazon/view/46729-exam-aws-devops-engineer-professional-topic-1-question-17/

einnOptions: ABC

A: remove sensitive data that could left behind in container B: remove crendentials and use role C: Use SecureString AWS Systems Manager Parameter Store

Kodoma

BCE is correct answer

devnv

Yes BCE are correct