AWS Certified Solutions Architect – Professional — Question 454

An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon
DynamoDB for storage when creating the CloudFormation template.
Which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?

Answer options

• A. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
• B. Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table.
• C. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.
• D. Create an identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.

Correct answer: C

Explanation

Using an IAM Role attached to an EC2 instance via an Instance Profile is the AWS-recommended best practice for granting permissions to applications running on EC2 without exposing long-lived credentials. In CloudFormation, this is achieved by defining an IAM Role and referencing the corresponding Instance Profile in the Launch Template or EC2 Instance properties. Options B and D are incorrect because they involve passing or exposing sensitive API keys, while Option A describes the association slightly less accurately in the context of direct CloudFormation resource property definitions compared to C.