nerdexam
Amazon

DVA-C02 · Question #368

A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is mi

The correct answer is B. Add the permission to the role so that the change will take effect automatically.. IAM role policy changes apply immediately to all associated EC2 instances without requiring a restart or relaunch. The instance metadata service always fetches the latest role credentials dynamically.

Submitted by amina.ke· Mar 5, 2026Troubleshooting and Optimization

Question

A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is missing the S3 read permission. The developer needs to give the application the ability to read the S3 bucket. Which solution will meet this requirement with the LEAST application disruption?

Options

  • AAdd the permission to the role. Terminate the existing EC2 instance. Launch a new EC2 instance.
  • BAdd the permission to the role so that the change will take effect automatically.
  • CAdd the permission to the role. Hibernate and restart the existing EC2 instance.
  • DAdd the permission to the S3 bucket. Restart the EC2 instance.

How the community answered

(29 responses)
  • B
    93% (27)
  • C
    3% (1)
  • D
    3% (1)

Why each option

IAM role policy changes apply immediately to all associated EC2 instances without requiring a restart or relaunch. The instance metadata service always fetches the latest role credentials dynamically.

AAdd the permission to the role. Terminate the existing EC2 instance. Launch a new EC2 instance.

Terminating and launching a new instance is unnecessarily disruptive; IAM role changes propagate to existing instances automatically without replacement.

BAdd the permission to the role so that the change will take effect automatically.Correct

IAM role policies are evaluated at the time each API call is made, not at instance launch. When the developer adds the S3 read permission to the role, the EC2 instance's next AWS SDK call will automatically receive temporary credentials that include the new permission, requiring zero instance disruption.

CAdd the permission to the role. Hibernate and restart the existing EC2 instance.

Hibernating and restarting the instance is unnecessary because IAM role policy changes are reflected immediately on the existing running instance.

DAdd the permission to the S3 bucket. Restart the EC2 instance.

Adding permission to the S3 bucket policy instead of the IAM role is a different mechanism and restarting the instance is still unnecessary for either change to take effect.

Concept tested: IAM role policy propagation to EC2 instances

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice