What should the DevOps engineer do to accomplish this in the MOST maintainable manner?
Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt Amazon EBS volumes by default.
Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with default encryption enabled.
Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets Manager.
Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2 instances.
Explanations:
Automating patching with AWS Systems Manager and encrypting Amazon EBS volumes does not address the need for encrypting build artifacts specifically. This solution focuses on EC2 instance maintenance rather than securing the build artifacts.
While deploying Jenkins to an Amazon ECS cluster and enabling encryption for Amazon S3 buckets helps secure build artifacts in S3, it does not directly address the maintainability aspect of Jenkins and may require complex management of ECS clusters.
Using AWS Secrets Manager to encrypt build artifacts is not appropriate, as Secrets Manager is designed for managing secrets like passwords and API keys, not for encrypting general artifacts.
AWS CodeBuild automatically encrypts build artifacts at rest by default, making this the most maintainable solution for ensuring that build artifacts containing sensitive company data are securely encrypted, and it replaces the need for managing Jenkins on EC2 instances.
I map out that the answer is:
Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on EC2 instances.