Which solution will meet these requirements in the MOST secure manner?
Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user’s credentials in the application’s configuration
Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:RecelveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user’s access key and secret access key as environment variables on the EC2 instance.
Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.
Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.
Explanations:
Creating an IAM user and embedding its credentials in the application’s configuration is insecure, as it exposes the credentials within the codebase, making them susceptible to leaks and attacks.
Similar to option A, exporting IAM user credentials as environment variables poses a security risk. If the instance is compromised, the credentials could be accessed and misused.
Although this option involves creating an IAM role (which is a best practice for managing permissions), it allows all SQS actions (sqs:*), which may provide broader permissions than necessary for the application.
This option is the most secure as it utilizes an IAM role specifically for the EC2 instance, allowing it to assume the role and obtain temporary security credentials without embedding any credentials in the application, while granting only the necessary permissions to interact with the specified SQS queues.
From what I’ve heard, the answer is:
Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.