AWS Certified Developer – Associate (DVA-C02) — Question 213

A company requires that all applications running on Amazon EC2 use IAM roles to gain access to AWS services. A developer is modifying an application that currently relies on IAM user access keys stored in environment variables to access Amazon DynamoDB tables using boto, the AWS SDK for Python.

The developer associated a role with the same permissions as the IAM user to the EC2 instance, then deleted the IAM user. When the application was restarted, the AWS AccessDeniedException messages started appearing in the application logs. The developer was able to use their personal account on the server to run DynamoDB API commands using the AWS CLI.

What is the MOST likely cause of the exception?

Answer options

• A. IAM policies might take a few minutes to propagate to resources.
• B. Disabled environment variable credentials are still being used by the application.
• C. The AWS SDK does not support credentials obtained using an instance role.
• D. The instance’s security group does not allow access to http://169.254.169.254.

Correct answer: B

Explanation

The most likely cause of the AWS AccessDeniedException is that the application is still attempting to use the disabled environment variable credentials, which were previously set for the IAM user. While the role has been assigned to the EC2 instance, the application needs to be updated to use the role's permissions instead of the now non-existent IAM user credentials. The other options do not apply because IAM policies propagate quickly, the AWS SDK does support instance roles, and the security group settings do not influence metadata access.