Amazon Web Services DOP-C02 Exam With Confidence Using Practice Dumps

To meet the requirements of deploying a workload on several hundred EC2 instances with least-privilege permissions and temporary security credentials, the company should use an IAM role and an instance profile. An IAM role is a way to grant permissions to an entity that you trust, such as an EC2 instance. An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. By using an IAM role and an instance profile, the EC2 instances can automatically receive temporary security credentials from the AWS Security Token Service (STS) and use them to access the S3 buckets. This way, the company does not need to manage or rotate any long-term credentials, such as IAM users or access keys.

To use an IAM role and an instance profile, the company should create an IAM role that has the appropriate permissions for S3 buckets. The permissions should allow the EC2 instances to read from the source S3 bucket and write to the destination S3 bucket. The company should also create a trust policy for the IAM role that specifies that EC2 is allowed to assume the role. Then, the company should add the IAM role to an instance profile. An instance profile can have only one IAM role, so the company does not need to create multiple roles or profiles for this scenario.

Next, the company should update the launch template to include the IAM instance profile. A launch template is a way to save launch parameters for EC2 instances, such as the instance type, security group, user data, and IAM instance profile. By using a launch template, the company can ensure that all EC2 instances in the Auto Scaling group have consistent configuration and permissions. The company should specify the name or ARN of the IAM instance profile in the launch template. This way, when the Auto Scaling group launches new EC2 instances based on the launch template, they will automatically receive the IAM role and its permissions through the instance profile.

The other options are not correct because they do not meet the requirements or follow best practices. Creating an IAM user and generating a secret key and token is not a good option because it involves managing long-term credentials that need to be rotated regularly. Moreover, embedding credentials in user data is not secure because user data is visible to anyone who can describe the EC2 instance. Creating a trust anchor and profile is not a valid option because trust anchors are used for certificate-based authentication, not for IAM roles or instance profiles. Modifying user data to use a new secret key and token is also not a good option because it requires updating user data every time the credentials change, which is not scalable or efficient.

1: AWS Certified DevOps Engineer - Professional Certification | AWS Certification | AWS

2: DevOps Resources - Amazon Web Services (AWS)

3: Exam Readiness: AWS Certified DevOps Engineer - Professional

IAM Roles for Amazon EC2 - AWS Identity and Access Management

Working with Instance Profiles - AWS Identity and Access Management

Launching an Instance Using a Launch Template - Amazon Elastic Compute Cloud

Temporary Security Credentials - AWS Identity and Access Management

 Modify the Build Stage to Add a Test Action with a RunOrder Value of 2:

The build stage in AWS CodePipeline can have multiple actions. By adding a test action with a runOrder value of 2, the test action will execute after the initial build action completes.

 Use AWS CodeBuild as the Action Provider to Run Unit Tests:

AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.

Using CodeBuild to run unit tests ensures that the tests are executed in a controlled environment and that only the code changes that pass the unit tests proceed to the deploy stage.

Example configuration in CodePipeline:

{

" name " : " BuildStage " ,

" actions " : [

{

" name " : " Build " ,

" actionTypeId " : {

" category " : " Build " ,

" owner " : " AWS " ,

" provider " : " CodeBuild " ,

" version " : " 1 "

},

" runOrder " : 1

},

{

" name " : " Test " ,

" actionTypeId " : {

" category " : " Test " ,

" owner " : " AWS " ,

" provider " : " CodeBuild " ,

" version " : " 1 "

},

" runOrder " : 2

}

]

}

By integrating the unit tests into the build stage and ensuring they run after the build process, the pipeline guarantees that only code changes passing all unit tests are deployed.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

During an Amazon ECS service deployment, if tasks fail the Elastic Load Balancing target group health checks, Amazon ECS considers those tasks unhealthy and stops and replaces them. This behavior can cause the deployment to remain incomplete because healthy replacement tasks never become available.

Also, if an essential container in the task exits, the entire task stops. Since the question states that the new tasks enter a stopped state soon after launch, an essential container failure is a direct and highly likely cause.

Why the other options are incorrect:

B. The IAM role used by the DevOps engineer to update the ECS service does not need RunTask permission for the tasks to remain running after launch. A permission issue here would more likely affect the update action itself rather than cause launched tasks to stop shortly afterward.

C. Although CloudWatch Logs configuration problems can affect logging, the missing log group is not the most likely direct reason for ECS tasks to repeatedly stop in this deployment scenario.

D. The task role provides permissions to the application code running inside the container. It is not the role primarily responsible for launching the task. Task startup is typically related to the task execution role, ECS service behavior, container health, and load balancer checks.