AWS Certified Solutions Architect – Associate (SAA-C02) — Question 196

An application running on an Amazon EC2 instance needs to access an Amazon DynamoDB table. Both the EC2 instance and the DynamoDB table are in the same AWS account. A solutions architect must configure the necessary permissions.
Which solution will allow least privilege access to the DynamoDB table from the EC2 instance?

Answer options

• A. Create an IAM role with the appropriate policy to allow access to the DynamoDB table. Create an instance profile to assign this IAM role to the EC2 instance.
• B. Create an IAM role with the appropriate policy to allow access to the DynamoDB table. Add the EC2 instance to the trust relationship policy document to allow it to assume the role.
• C. Create an IAM user with the appropriate policy to allow access to the DynamoDB table. Store the credentials in an Amazon S3 bucket and read them from within the application code directly.
• D. Create an IAM user with the appropriate policy to allow access to the DynamoDB table. Ensure that the application stores the IAM credentials securely on local storage and uses them to make the DynamoDB calls.

Correct answer: A

Explanation

The correct answer is A because creating an IAM role with the proper policy and assigning it through an instance profile grants the EC2 instance the necessary permissions without hardcoding credentials. Options B, C, and D either involve unnecessary complexity or security risks, such as managing IAM user credentials directly, which is not recommended for least privilege access.