AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A development team is deploying a web application on Amazon EC2 instances that must read objects from an Amazon S3 bucket in the same AWS account. According to AWS security best practices, which approach should the team use to grant the EC2 instances access to the S3 bucket?
Embed the AWS access key and secret key in the Amazon Machine Image (AMI) used to launch the instances.
Store the AWS access key and secret key in environment variables on the EC2 instances.
Save the AWS access key and secret key in a plaintext configuration file inside /etc on each instance.
Attach an IAM role to the EC2 instance profile that grants the required Amazon S3 permissions.
Attaching an IAM role to the EC2 instance profile is the recommended method. The role provides automatically rotated, temporary credentials that the instance retrieves from the Instance Metadata Service. This eliminates the need to distribute or store long-term access keys within the instance, reducing the risk of credential leakage. Storing access keys in environment variables, baking them into the AMI, or keeping them in plaintext configuration files all expose long-term credentials that can be compromised.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are IAM roles and how do they work?
Open an interactive chat with Bash
Why is using temporary credentials more secure than static IAM user credentials?
Open an interactive chat with Bash
What is the risk of storing static IAM user credentials on an EC2 instance?