AWS Certified SysOps Administrator – Associate (legacy) — Question 43

An application running on Amazon EC2 instances needs to write files to an Amazon S3 bucket.
What is the MOST secure way to grant the application access to the S3 bucket?

Answer options

• A. Create an IAM user with the necessary privileges. Generate an access key and embed the key in the code running on the EC2 instances.
• B. Install secure FTP (SFTP) software on the EC2 instances. Use an AWS Lambda function to copy the files from the EC2 instances to Amazon S3 using SFTP.
• C. Create an IAM role with the necessary privileges. Associate the role with the EC2 instances at launch.
• D. Use rsync and cron to set up the transfer of files from the EC2 instances to the S3 bucket. Enable AWS Shield to protect the data.

Correct answer: C

Explanation

The correct answer is C because using an IAM role provides temporary credentials that are automatically rotated and managed by AWS, ensuring a more secure access method. Option A is less secure due to the risk of hardcoding access keys in the application code. Option B introduces unnecessary complexity and security considerations by using SFTP. Option D does not utilize IAM roles and relies on a scheduled task, which is less secure than directly associating a role.