AWS Certified Developer – Associate — Question 375

An application that is hosted on an Amazon EC2 instance needs access to files that are stored in an Amazon S3 bucket. The application lists the objects that are stored in the S3 bucket and displays a table to the user. During testing, a developer discovers that the application does not show any objects in the list.
What is the MOST secure way to resolve this issue?

Answer options

• A. Update the IAM instance profile that is attached to the EC2 instance to include the S3:' permission for the S3 bucket.
• B. Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket.
• C. Update the developer's user permissions to include the S3:ListBucket permission for the S3 bucket.
• D. Update the S3 bucket policy by including the S3:ListBucket permission and by setting the Principal element to specify the account number of the EC2 instance.

Correct answer: B

Explanation

To allow an application on an Amazon EC2 instance to list objects in an Amazon S3 bucket, the EC2 instance's IAM instance profile must be granted the specific s3:ListBucket permission, adhering to the principle of least privilege. Option A is insecure because it grants excessive permissions, while Option C is incorrect because the application runs under the EC2 instance's identity, not the developer's personal IAM user. Option D is incorrect because granting access via a bucket policy to an entire account is less secure and less direct than using an IAM role attached directly to the EC2 instance.