AWS Certified Security – Specialty — Question 154

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.
What actions should be taken to troubleshoot the issue while maintaining least privilege? (Choose two.)

Answer options

• A. Configure and assign an MFA device to the role used by the instances.
• B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.
• C. Verify that the access key attached to the role used by the instances is active.
• D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances.
• E. Verify that the role attached to the instances contains policies that allow access to the queue.

Correct answer: B, E

Explanation

The correct actions are B and E because verifying the SQS resource policy ensures that there are no explicit denials affecting access, and confirming that the role has the necessary policies is crucial for maintaining access permissions. Options A, C, and D either do not directly address the permission issue or violate the principle of least privilege by granting excessive permissions.