nerdexam
Amazon

DVA-C02 · Question #364

A company wants to migrate applications from its on-premises servers to AWS. As a first step, the company is modifying and migrating a non-critical application to a single Amazon EC2 instance. The app

The correct answer is C. Create an IAM role that has the necessary access to Amazon S3. Attach the role to the EC2. Attaching an IAM role with least-privilege S3 permissions directly to the EC2 instance is the recommended security practice, as it avoids long-lived access keys and follows the principle of least privilege.

Submitted by deeparc· Mar 5, 2026Security

Question

A company wants to migrate applications from its on-premises servers to AWS. As a first step, the company is modifying and migrating a non-critical application to a single Amazon EC2 instance. The application will store information in an Amazon S3 bucket. The company needs to follow security best practices when deploying the application on AWS. Which approach should the company take to allow the application to interact with Amazon S3?

Options

  • ACreate an IAM role that has administrative access to AWS. Attach the role to the EC2 instance.
  • BCreate an IAM user. Attach the AdministratorAccess policy. Copy the generated access key and
  • CCreate an IAM role that has the necessary access to Amazon S3. Attach the role to the EC2
  • DCreate an IAM user. Attach a policy that provides the necessary access to Amazon S3. Copy the

How the community answered

(39 responses)
  • A
    3% (1)
  • B
    5% (2)
  • C
    87% (34)
  • D
    5% (2)

Why each option

Attaching an IAM role with least-privilege S3 permissions directly to the EC2 instance is the recommended security practice, as it avoids long-lived access keys and follows the principle of least privilege.

ACreate an IAM role that has administrative access to AWS. Attach the role to the EC2 instance.

Granting administrative access provides far more permissions than necessary, violating the principle of least privilege and exposing the account to significant risk if the instance is compromised.

BCreate an IAM user. Attach the AdministratorAccess policy. Copy the generated access key and

Creating an IAM user with AdministratorAccess and embedding the resulting long-lived access key on an EC2 instance is doubly insecure: the policy is overly permissive and static keys on instances are a common breach vector.

CCreate an IAM role that has the necessary access to Amazon S3. Attach the role to the EC2Correct

An IAM instance profile role delivers temporary, automatically rotated credentials to the EC2 instance via the instance metadata service; the role grants only the specific S3 actions required, satisfying both the least-privilege principle and the AWS best practice of never storing static access keys on compute resources.

DCreate an IAM user. Attach a policy that provides the necessary access to Amazon S3. Copy the

Copying a static IAM user access key onto an EC2 instance stores long-lived credentials on the host, which can be exfiltrated if the instance is compromised, and requires manual rotation; instance roles are always preferred.

Concept tested: EC2 IAM instance profile role for least-privilege S3 access

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice