DVA-C02 · Question #368
A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is mi
The correct answer is B. Add the permission to the role so that the change will take effect automatically.. IAM role policy changes apply immediately to all associated EC2 instances without requiring a restart or relaunch. The instance metadata service always fetches the latest role credentials dynamically.
Question
A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is missing the S3 read permission. The developer needs to give the application the ability to read the S3 bucket. Which solution will meet this requirement with the LEAST application disruption?
Options
- AAdd the permission to the role. Terminate the existing EC2 instance. Launch a new EC2 instance.
- BAdd the permission to the role so that the change will take effect automatically.
- CAdd the permission to the role. Hibernate and restart the existing EC2 instance.
- DAdd the permission to the S3 bucket. Restart the EC2 instance.
How the community answered
(29 responses)- B93% (27)
- C3% (1)
- D3% (1)
Why each option
IAM role policy changes apply immediately to all associated EC2 instances without requiring a restart or relaunch. The instance metadata service always fetches the latest role credentials dynamically.
Terminating and launching a new instance is unnecessarily disruptive; IAM role changes propagate to existing instances automatically without replacement.
IAM role policies are evaluated at the time each API call is made, not at instance launch. When the developer adds the S3 read permission to the role, the EC2 instance's next AWS SDK call will automatically receive temporary credentials that include the new permission, requiring zero instance disruption.
Hibernating and restarting the instance is unnecessary because IAM role policy changes are reflected immediately on the existing running instance.
Adding permission to the S3 bucket policy instead of the IAM role is a different mechanism and restarting the instance is still unnecessary for either change to take effect.
Concept tested: IAM role policy propagation to EC2 instances
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
Community Discussion
No community discussion yet for this question.