AWS Certified Developer – Associate (DVA-C02) — Question 390

A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practices to grant S3 read access to the application.

Which solution meets these requirements?

Answer options

• A. Add the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2 instance profile.
• B. Add the permissions inline to an IAM group. Attach the group to the EC2 instance profile.
• C. Add the permissions to an IAM policy. Attach the policy to a user. Attach the user to the EC2 instance profile.
• D. Add the permissions to an IAM policy. Use IAM web identity federation to access the S3 bucket with the policy.

Correct answer: A

Explanation

The security best practice for granting AWS resource access to applications running on Amazon EC2 instances is to use IAM roles attached via an EC2 instance profile, which eliminates the need to manage long-term credentials. You cannot attach IAM users or IAM groups directly to an EC2 instance profile. IAM web identity federation is unnecessary here as it is designed for federating external users rather than authorizing internal EC2 workloads.