AWS Certified Developer – Associate — Question 201

A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practices to grant S3 read access to the application.

Which solution meets these requirements?

Answer options

• A. Add the permissions to an IAM policy. Attach the policy to a role. Attach the role to the EC2 instance profile.
• B. Add the permissions inline to an IAM group. Attach the group to the EC2 instance profile.
• C. Add the permissions to an IAM policy. Attach the policy to a user. Attach the user to the EC2 instance profile.
• D. Add the permissions to an IAM policy. Use IAM web identity federation to access the S3 bucket with the policy.

Correct answer: A

Explanation

The correct answer is A because it allows for the application to have the necessary permissions via an IAM role that is associated with the EC2 instance profile, following security best practices. Options B and C are inappropriate as they do not use roles, which provide better security and management for temporary access. Option D is not suitable here since web identity federation is not necessary for an EC2 instance accessing S3.