A DevOps engineer is building a centralized CI/CD pipeline using AWS CodeBuild, AWS CodeDeploy, and Amazon S3. The engineer is required to have least privilege access and individual encryption at rest for all artifacts in Amazon S3. The engineer must be able to prune old artifacts without the ability to download or read them.
The engineer has already completed the following steps:
1. Created a unique AWS KMS CMK and S3 bucket for each project’s builds.
2. Updated the S3 bucket policy to only allow uploads that use the associated KMS encryption.
Which final step should be taken to meet these requirements?
A. Update the attached IAM policies to allow access to the appropriate KMS key from the CodeDeploy role where the application will be deployed.
B. Update the attached IAM policies to allow access to the appropriate KMS key from the EC2 instance roles where the application will be deployed.
C. Update the CMK key policy to allow access to the appropriate KMS key from the CodeDeploy role where the application will be deployed.
D. Update the CMK key policy to allow to the appropriate KMS key from the EC2 instance roles where the application will be deployed.
The engineer has already completed the following steps:
1. Created a unique AWS KMS CMK and S3 bucket for each project’s builds.
2. Updated the S3 bucket policy to only allow uploads that use the associated KMS encryption.
Which final step should be taken to meet these requirements?
A. Update the attached IAM policies to allow access to the appropriate KMS key from the CodeDeploy role where the application will be deployed.
B. Update the attached IAM policies to allow access to the appropriate KMS key from the EC2 instance roles where the application will be deployed.
C. Update the CMK key policy to allow access to the appropriate KMS key from the CodeDeploy role where the application will be deployed.
D. Update the CMK key policy to allow to the appropriate KMS key from the EC2 instance roles where the application will be deployed.