Which AWS IAM changes are needed when creating an instance role to provide this functionality?
Create an IAM permission policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole and iam:PassRole permissions for the role.
Create an IAM permissions policy attached to the role that allows access to DynamoDAdd a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.
Create an IAM permission policy attached to the role that allows access to Amazon EC2. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.
Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole permission for the role.
Explanations:
The trust policy should allow EC2 to assume the role, not DynamoDB. The permissions policy for the IAM group should allowiam:PassRole, butiam:GetRoleis not required.
The IAM role should have a trust policy allowing EC2 to assume the role. The permissions policy for the IAM group should includeiam:PassRoleto allow developers to pass the role to EC2 instances.
The trust policy should allow EC2, not DynamoDB, to assume the role. Also, the IAM role should allow DynamoDB access, not EC2 access.
The trust policy should allow EC2 to assume the role, not DynamoDB.iam:GetRolepermission is unnecessary for the IAM group. The correct permission isiam:PassRole.