AWS Certified SysOps Administrator – Associate (legacy) — Question 532

An application is running on an Amazon EC2 instance. A SysOps Administrator is tasked with allowing the application access to an Amazon S3 bucket.
What should be done to ensure optimal security?

Answer options

• A. Apply an S3 bucket policy to allow access from all EC2 instances.
• B. Create an IAM user and create a script to inject the credentials on boot.
• C. Create and assign an IAM role for Amazon S3 access to the EC2 instance.
• D. Embed an AWS credentials file for an IAM user inside the Amazon Machine Image (AMI).

Correct answer: C

Explanation

Using an IAM role for EC2 instances is the AWS-recommended best practice because it eliminates the need to manage, rotate, and store long-term AWS credentials on the instance. Hardcoding credentials in an AMI or injecting them via scripts introduces security risks of credential exposure, while a broad bucket policy allowing access to all EC2 instances violates the principle of least privilege.