What should the DevOps engineer do to accomplish this in the MOST maintainable manner?
Automate patching and upgrading using AWS Systems Manager on EC2 instances and encrypt Amazon EBS volumes by default.
Deploy Jenkins to an Amazon ECS cluster and copy build artifacts to an Amazon S3 bucket with default encryption enabled.
Leverage AWS CodePipeline with a build action and encrypt the artifacts using AWS Secrets Manager.
Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on Amazon EC2.
Explanations:
Automating patching and upgrading using AWS Systems Manager is a good practice for EC2 instances, but encrypting Amazon EBS volumes does not directly address the need to encrypt Jenkins build artifacts.
Deploying Jenkins on Amazon ECS and copying artifacts to an S3 bucket with encryption enabled is a good approach for managing build artifacts securely. However, it does not inherently address patching Jenkins or encryption in a maintainable manner within the CI/CD pipeline.
AWS Secrets Manager is used for managing sensitive information like API keys or credentials, not for encrypting build artifacts. Therefore, it does not fulfill the requirement of encrypting build artifacts in a maintainable way.
AWS CodeBuild automatically supports artifact encryption as part of the build process and eliminates the need for patching and upgrading EC2 instances. This solution is more maintainable and secure for encrypting build artifacts while handling the CI/CD process.
I outline that the answer is:
Use AWS CodeBuild with artifact encryption to replace the Jenkins instance running on Amazon EC2.