AWS Certified Developer – Associate (DVA-C02) — Question 351

A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is missing the S3 read permission. The developer needs to give the application the ability to read the S3 bucket.

Which solution will meet this requirement with the LEAST application disruption?

Answer options

• A. Add the permission to the role. Terminate the existing EC2 instance. Launch a new EC2 instance.
• B. Add the permission to the role so that the change will take effect automatically.
• C. Add the permission to the role. Hibernate and restart the existing EC2 instance.
• D. Add the permission to the S3 bucket. Restart the EC2 instance.

Correct answer: B

Explanation

Updating an IAM role's policy takes effect immediately and automatically propagates to any EC2 instances associated with that role. Therefore, simply adding the S3 read permission to the existing IAM role resolves the issue with zero downtime or disruption to the application. Terminating, hibernating, or restarting the EC2 instance as suggested in the other options is completely unnecessary and causes avoidable application disruption.