How should the application use AWS credentials to access the S3 bucket securely?
Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
Create an IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
Explanations:
Using AWS account access keys directly in the source code is insecure, as it exposes sensitive credentials and increases the risk of accidental leakage.
Launching the instance as an IAM user is not a best practice. IAM roles should be used instead of IAM users for applications running on EC2 to avoid managing credentials directly.
Creating an IAM role for EC2 instances allows the application to securely assume the role and access S3 without embedding credentials. The role’s temporary credentials can be retrieved from the EC2 instance metadata, which is a secure method.
Storing IAM user credentials in a temporary directory is not secure and can lead to credential exposure. IAM roles are the recommended way to grant permissions to applications running on EC2 instances.
I surmise that the answer is:
Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata