AWS Certified Developer – Associate — Question 227

A company designs a mobile app to run on AWS. The app will run on Amazon EC2 instances behind an Application Load Balancer. The instances will run in an Amazon EC2 Auto Scaling group. The app must securely access data that the company stores in Amazon DynamoDB.

Which solution is MOST secure?

Answer options

• A. Create an Amazon Cognito user pool for the mobile app users. Attach an IAM policy that has the required DynamoDB permissions to the user pool.
• B. Create an AWS Lambda authorizer with the required DynamoDB permissions. Attach the Lambda authorizer to the Application Load Balancer.
• C. Create an IAM user for each mobile user. Attach an IAM policy that provides the required DynamoDB permissions to each IAM user.
• D. Create an IAM role. Attach a policy with the required DynamoDB permissions to the role. Configure the EC2 Auto Scaling launch template to attach the role to all EC2 instances.

Correct answer: D

Explanation

The correct answer is D because using an IAM role allows the EC2 instances to securely access DynamoDB without embedding credentials in the application. Option A is less secure as it exposes user permissions directly. Option B does not provide direct access to DynamoDB for the EC2 instances, and Option C is impractical due to the management overhead of individual IAM users.