AWS Certified Solutions Architect – Associate (SAA-C02) — Question 732

A solutions architect is using an AWS CloudFormation template to deploy a three-tier web application. The web application consists of a web tier and an application tier that stores and retrieves user data in Amazon DynamoDB tables. The web and application tiers are hosted on Amazon EC2 instances, and the database tier is not publicly accessible. The application EC2 instances need to access the DynamoDB tables without exposing API credentials in the template.
What should the solutions architect do to meet these requirements?

Answer options

• A. Create an IAM role to read the DynamoDB tables. Associate the role with the application instances by referencing an instance profile.
• B. Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.
• C. Use the parameter section in the AWS CloudFormation template to have the user input access and secret keys from an already-created IAM user that has the required permissions to read and write from the DynamoDB tables.
• D. Create an IAM user in the AWS CloudFormation template that has the required permissions to read and write from the DynamoDB tables. Use the GetAtt function to retrieve the access and secret keys, and pass them to the application instances through the user data.

Correct answer: B

Explanation

To securely grant Amazon EC2 instances access to Amazon DynamoDB without managing access keys, an IAM role should be assigned to the instances via an EC2 instance profile. Option B is correct because the application tier requires both read and write permissions to manage user data, whereas Option A only provides read permissions. Options C and D are incorrect security practices as they involve passing and exposing long-lived AWS API credentials.