DVA-C02 · Question #253
DVA-C02 Question #253: Real Exam Question with Answer & Explanation
The correct answer is C: Create an IAM role. Configure the IAM role to access the specific Amazon S3 API calls the. Attaching an IAM role to the EC2 instance profile is the most secure method for granting S3 access because it uses temporary, automatically rotated credentials with no long-lived secrets to manage.
Question
A developer is working on an application that is deployed on an Amazon EC2 instance. The developer needs a solution that will securely transfer files from the application to an Amazon S3 bucket. What should the developer do to meet these requirements in the MOST secure way?
Options
- ACreate an IAM user. Create an access key for the IAM user. Store the access key in the
- BCreate an IAM role. Create an access key for the IAM role. Store the access key in the
- CCreate an IAM role. Configure the IAM role to access the specific Amazon S3 API calls the
- DConfigure an S3 bucket policy for the S3 bucket. Configure the S3 bucket policy to allow access
Explanation
Attaching an IAM role to the EC2 instance profile is the most secure method for granting S3 access because it uses temporary, automatically rotated credentials with no long-lived secrets to manage.
Common mistakes.
- A. Storing long-lived IAM user access keys on an EC2 instance is a security risk; if the instance is compromised, the keys are exposed and do not auto-rotate.
- B. IAM roles do not have access keys; only IAM users can have long-term access keys. This option is technically invalid.
- D. An S3 bucket policy alone cannot authenticate the EC2 instance without a corresponding IAM principal (role) on the instance to identify itself.
Concept tested. EC2 instance profile IAM role for S3 access
Reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
Community Discussion
No community discussion yet for this question.