AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 21

An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A CloudOps engineer must ensure that the application can read write, and delete messages from the SQS queues.
Which solution will meet these requirements in the MOST secure manner?

Answer options

• A. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqsReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application’s configuration.
• B. Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.
• C. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
• D. Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.

Correct answer: D

Explanation

The correct answer is D because using an IAM role is a more secure method than embedding IAM user credentials directly in the application or exporting them as environment variables. Options A and B expose sensitive information, while C grants broader permissions than necessary, which could violate the principle of least privilege.