AWS Certified SysOps Administrator – Associate (legacy) — Question 773

A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the
DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

Answer options

• A. The user should attach an IAM role with DynamoDB access to the EC2 instance
• B. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
• C. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
• D. The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials

Correct answer: A

Explanation

Attaching an IAM role to the EC2 instance is the recommended AWS security best practice because it uses temporary security credentials that are automatically rotated, eliminating the need to store long-term access keys on the instance. Storing IAM user credentials inside the application or instance configuration increases the risk of credential exposure. Options C and D do not follow least privilege principles and introduce unnecessary security risks.