AWS Certified SysOps Administrator – Associate (legacy) — Question 497

An application running on Amazon EC2 needs login credentials to access a database. The login credentials are stored in AWS Systems Manager Parameter Store as secure string parameters.
What is the MOST secure way to grant the application access to the credentials?

Answer options

• A. Create an IAM EC2 role for the EC2 instances and grant the role permission to read the Systems Manager parameters
• B. Create an IAM group for the application and grant the group permissions to read the Systems Manager parameters
• C. Create an IAM policy for the application and grant the policy permission to read the Systems Manager parameters
• D. Create an IAM user for the application and grant the user permission to read the Systems Manager parameters

Correct answer: C

Explanation

Creating a dedicated IAM policy that explicitly defines read permissions for the Systems Manager parameters is the most secure way to control access. This policy enforces the principle of least privilege and can be attached to the application's execution identity. Other methods, such as using IAM users with long-term security credentials, introduce unnecessary security risks.