AWS Certified Developer – Associate (DVA-C02) — Question 301

A developer designed an application on an Amazon EC2 instance. The application makes API requests to objects in an Amazon S3 bucket.

Which combination of steps will ensure that the application makes the API requests in the MOST secure manner? (Choose two.)

Answer options

• A. Create an IAM user that has permissions to the S3 bucket. Add the user to an IAM group.
• B. Create an IAM role that has permissions to the S3 bucket.
• C. Add the IAM role to an instance profile. Attach the instance profile to the EC2 instance.
• D. Create an IAM role that has permissions to the S3 bucket. Assign the role to an IAM group.
• E. Store the credentials of the IAM user in the environment variables on the EC2 instance.

Correct answer: B, C

Explanation

To securely grant applications on EC2 instances access to AWS resources like Amazon S3, AWS recommends using IAM roles instead of long-term credentials. By creating an IAM role with the necessary S3 permissions and attaching it to the EC2 instance through an instance profile, AWS automatically provisions and rotates temporary credentials for the application. Using IAM users, groups, or hardcoding credentials in environment variables introduces unnecessary security risks and administrative overhead.