nerdexam
Amazon

DVA-C02 · Question #401

A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practi

The correct answer is A. Add the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2. Granting an EC2 application access to S3 using security best practices means using an IAM role attached as an instance profile, avoiding long-lived credentials.

Submitted by brentm· Mar 5, 2026Security

Question

A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practices to grant S3 read access to the application. Which solution meets these requirements?

Options

  • AAdd the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2
  • BAdd the permissions inline to an IAM group. Attach the group to the EC2 instance profile.
  • CAdd the permissions to an IAM policy. Attach the policy to a user. Attach the user to the EC2
  • DAdd the permissions to an IAM policy. Use IAM web identity federation to access the S3 bucket

How the community answered

(64 responses)
  • A
    80% (51)
  • B
    3% (2)
  • C
    13% (8)
  • D
    5% (3)

Why each option

Granting an EC2 application access to S3 using security best practices means using an IAM role attached as an instance profile, avoiding long-lived credentials.

AAdd the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2Correct

IAM roles attached to EC2 instance profiles provide temporary, automatically rotated credentials via the instance metadata service. This is the AWS-recommended approach for granting EC2 applications access to other AWS services without embedding static credentials.

BAdd the permissions inline to an IAM group. Attach the group to the EC2 instance profile.

IAM groups cannot be attached to EC2 instance profiles; instance profiles only accept roles, making this configuration impossible.

CAdd the permissions to an IAM policy. Attach the policy to a user. Attach the user to the EC2

IAM users represent human identities and cannot be directly attached to EC2 instance profiles; using user credentials on EC2 instances embeds long-lived static keys.

DAdd the permissions to an IAM policy. Use IAM web identity federation to access the S3 bucket

Web identity federation is designed for users authenticating through external identity providers (e.g., Cognito, Google), not for EC2 instance-level application access.

Concept tested: EC2 instance profile with IAM role for S3 access

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice