AWS Certified Developer – Associate (DVA-C02) — Question 278

A developer is creating an application that reads and writes to multiple Amazon S3 buckets. The application will be deployed to an Amazon EC2 instance. The developer wants to make secure API requests from the EC2 instances without the need to manage the security credentials for the application. The developer needs to apply the principle of least privilege.

Which solution will meet these requirements?

Answer options

• A. Create an IAM user. Create access keys and secret keys for the user. Associate the user with an IAM policy that allows s3:* permissions.
• B. Associate the EC2 instance with an IAM role that has an IAM policy that allows s3:ListBucket and s3:*Object permissions for specific S3 buckets.
• C. Associate the EC2 instance with an IAM role that has an AmazonS3FullAccess AWS managed policy.
• D. Create a bucket policy on the S3 bucket that allows s3:ListBucket and s3:*Object permissions to the EC2 instance.

Correct answer: B

Explanation

Associating an IAM role with the EC2 instance allows the application to securely obtain temporary credentials automatically without manual management. Restricting the policy to specific actions like s3:ListBucket and s3:*Object on only the necessary buckets satisfies the principle of least privilege, whereas options using full access or permanent IAM user credentials do not.