AWS Certified Security – Specialty (SCS-C02) — Question 197

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.

What actions should be taken to troubleshoot the issue while maintaining least privilege? (Choose two.)

Answer options

• A. Configure and assign an MFA device to the role used by the instances.
• B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
• C. Verify that the access key attached to the role used by the instances is active.
• D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
• E. Verify that the role attached to the instances contains policies that allow access to the queue.

Correct answer: B, E

Explanation

Option B is correct because it ensures that the SQS resource policy is not denying access to the instances' role, which is crucial for message retrieval. Option E is also correct as it verifies that the role has the necessary permissions to access the queue. Options A, C, and D do not directly address the IAM changes affecting access to SQS messages and may grant unnecessary privileges or are not relevant to the current issue.