AWS Certified Solutions Architect – Associate (SAA-C03) — Question 571

A solutions architect is using an AWS CloudFormation template to deploy a three-tier web application. The web application consists of a web tier and an application tier that stores and retrieves user data in Amazon DynamoDB tables. The web and application tiers are hosted on Amazon EC2 instances, and the database tier is not publicly accessible. The application EC2 instances need to access the DynamoDB tables without exposing API credentials in the template.

What should the solutions architect do to meet these requirements?

Answer options

• A. Create an IAM role to read the DynamoDB tables. Associate the role with the application instances by referencing an instance profile.
• B. Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.
• C. Use the parameter section in the AWS CloudFormation template to have the user input access and secret keys from an already-created IAM user that has the required permissions to read and write from the DynamoDB tables.
• D. Create an IAM user in the AWS CloudFormation template that has the required permissions to read and write from the DynamoDB tables. Use the GetAtt function to retrieve the access and secret keys, and pass them to the application instances through the user data.

Correct answer: B

Explanation

Using an IAM role attached to an EC2 instance profile is the AWS best practice for granting applications on EC2 instances secure access to other AWS resources without managing credentials. Option B is correct because the application tier requires both read and write capabilities, which are granted by the role and associated with the instances via the instance profile. Options C and D are incorrect because they involve passing long-lived access keys, while Option A is incorrect because it only provides read access.