DVA-C02 · Question #401
A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practi
The correct answer is A. Add the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2. Granting an EC2 application access to S3 using security best practices means using an IAM role attached as an instance profile, avoiding long-lived credentials.
Question
A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practices to grant S3 read access to the application. Which solution meets these requirements?
Options
- AAdd the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2
- BAdd the permissions inline to an IAM group. Attach the group to the EC2 instance profile.
- CAdd the permissions to an IAM policy. Attach the policy to a user. Attach the user to the EC2
- DAdd the permissions to an IAM policy. Use IAM web identity federation to access the S3 bucket
How the community answered
(64 responses)- A80% (51)
- B3% (2)
- C13% (8)
- D5% (3)
Why each option
Granting an EC2 application access to S3 using security best practices means using an IAM role attached as an instance profile, avoiding long-lived credentials.
IAM roles attached to EC2 instance profiles provide temporary, automatically rotated credentials via the instance metadata service. This is the AWS-recommended approach for granting EC2 applications access to other AWS services without embedding static credentials.
IAM groups cannot be attached to EC2 instance profiles; instance profiles only accept roles, making this configuration impossible.
IAM users represent human identities and cannot be directly attached to EC2 instance profiles; using user credentials on EC2 instances embeds long-lived static keys.
Web identity federation is designed for users authenticating through external identity providers (e.g., Cognito, Google), not for EC2 instance-level application access.
Concept tested: EC2 instance profile with IAM role for S3 access
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
Community Discussion
No community discussion yet for this question.