What should the solutions architect do to meet these requirements?
Create an IAM role to read the DynamoDB tables. Associate the role with the application instances by referencing an instance profile.
Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.
Use the parameter section in the AWS CloudFormation template to have the user input access and secret keys from an already-created IAM user that has the required permissions to read and write from the DynamoDB tables.
Create an IAM user in the AWS CloudFormation template that has the required permissions to read and write from the DynamoDB tables. Use the GetAtt function to retrieve the access and secret keys, and pass them to the application instances through the user data.
Explanations:
While creating an IAM role to read DynamoDB is correct, the solution does not address associating the IAM role with the EC2 instance profile.
This option correctly describes creating an IAM role with the necessary permissions and associating it with the EC2 instance profile for the application tier.
Using hardcoded access and secret keys is insecure and goes against best practices for managing credentials.
Creating an IAM user within the CloudFormation template is not recommended, and passing access keys to EC2 instances via user data is insecure.
I strategize that the answer is:
Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.
If I had to guess, I’d say the answer is:
Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.