AWS Certified Developer – Associate — Question 267

A developer is working on an application that is deployed on an Amazon EC2 instance. The application needs to transfer a file to an Amazon S3 bucket.

What should the developer do to authenticate the application's access to the S3 bucket in the MOST secure way?

Answer options

• A. Create an access key for an IAM user. Store the access key in the application's environment variables.
• B. Create an IAM role. Create an access key for the role. Store the access key in the application's environment variables.
• C. Associate an IAM role with the EC2 instance. Use the instance metadata service to retrieve the credentials.
• D. Configure a bucket policy for the S3 bucket. Allow access from the EC2 instance ID in the bucket policy.

Correct answer: D

Explanation

Configuring a bucket policy that restricts access directly to the specific EC2 instance ID (Option D) ensures that only requests originating from that authorized instance can access the bucket, minimizing the attack surface. Storing static access keys in environment variables (Options A and B) introduces significant security risks of credential exposure. Relying on instance metadata (Option C) is a common practice but does not provide the explicit instance-level restriction that a targeted bucket policy offers.