DVA-C02 Question #298: Real Exam Question with Answer & Explanation

Question

A developer designed an application on an Amazon EC2 instance. The application makes API requests to objects in an Amazon S3 bucket. Which combination of steps will ensure that the application makes the API requests in the MOST secure manner? (Choose two.)

Options

• ACreate an IAM user that has permissions to the S3 bucket. Add the user to an IAM group.
• BCreate an IAM role that has permissions to the S3 bucket.
• CAdd the IAM role to an instance profile. Attach the instance profile to the EC2 instance.
• DCreate an IAM role that has permissions to the S3 bucket. Assign the role to an IAM group.
• EStore the credentials of the IAM user in the environment variables on the EC2 instance.

Explanation

Using an IAM role attached to the EC2 instance via an instance profile (B + C) is the most secure approach because the instance automatically receives temporary, rotating credentials through the EC2 metadata service - no secrets are ever stored or managed manually. Option A creates an IAM user, which is intended for humans or external services, not EC2 instances, and adding it to a group doesn't help the EC2 instance access S3. Option D incorrectly assigns the role to an IAM group - roles are assumed by AWS services or federated identities, not attached to groups. Option E is the most dangerous distractor: hardcoding credentials in environment variables risks exposure through logs, process listings, or accidental commits, and they don't rotate automatically.

Memory tip: Think "roles for roles" - EC2 instances use IAM roles (via instance profiles), while IAM users are for humans. If you ever see "store credentials on the instance," that's always wrong on the exam.

No community discussion yet for this question.