Which approach should the company take to allow the application to interact with Amazon S3?
Create an IAM role that has administrative access to AWS. Attach the role to the EC2 instance.
Create an IAM user. Attach the AdministratorAccess policy. Copy the generated access key and secret key. Within the application code, use the access key and secret key along with the AWS SDK to communicate with Amazon S3.
Create an IAM role that has the necessary access to Amazon S3. Attach the role to the EC2 instance.
Create an IAM user. Attach a policy that provides the necessary access to Amazon S3. Copy the generated access key and secret key. Within the application code, use the access key and secret key along with the AWS SDK to communicate with Amazon S3.
Explanations:
While creating an IAM role with administrative access and attaching it to the EC2 instance provides access to S3, it does not follow the principle of least privilege, which recommends granting only the necessary permissions for specific tasks.
Using an IAM user with AdministratorAccess and hardcoding access keys within the application code is not a best practice. It exposes sensitive credentials and lacks the security benefits of using IAM roles, which allow temporary credentials and automatic rotation.
Creating an IAM role with the necessary access permissions to S3 and attaching it to the EC2 instance is the best practice. It allows the application to assume the role, providing temporary credentials without hardcoding sensitive information, aligning with the principle of least privilege.
Similar to option B, using an IAM user with access keys hardcoded in the application is insecure. While it may grant necessary permissions, it does not leverage the security advantages of using IAM roles, such as automatic credential management and reduced risk of key exposure.