AWS Certified SysOps Administrator – Associate (legacy) — Question 393

A user has created an application which will be hosted on EC2. The application makes API calls to DynamoDB to fetch certain data. The application running on this instance is using the SDK for making these calls to DynamoDB. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

Answer options

• A. The user should create an IAM user with permissions to access DynamoDB and use its creden-tials within the application for connecting to DynamoDB
• B. The user should create an IAM user with DynamoDB and EC2 permissions. Attach the user with the application so that it does not use the root account credentials
• C. The user should attach an IAM role to the EC2 instance with necessary permissions for making API calls to DynamoDB.
• D. The user should create an IAM role with EC2 permissions to deploy the application

Correct answer: C

Explanation

Assigning an IAM role to an EC2 instance is the recommended AWS best practice because it allows the AWS SDK to automatically retrieve temporary security credentials, eliminating the need to manage or store long-term AWS credentials on the instance. Storing static IAM user credentials inside an application (as described in options A and B) introduces unnecessary security risks from credential exposure. Option D is incorrect because it focuses on deployment permissions rather than granting the running application access to DynamoDB.