Which AWS IAM changes are needed when creating an instance role to provide this functionality?

By:
In: DVA-C01
Tagged:
With: 1 Comment
A development team is building a new application that will run on Amazon EC2 and use Amazon DynamoDB as a storage layer.The developers all have assigned IAM user accounts in the same IAM group.The developers currently can launch EC2 instances, and they need to be able to launch EC2 instances with an instance role allowing access to Amazon DynamoDB.

Which AWS IAM changes are needed when creating an instance role to provide this functionality?

Create an IAM permission policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole and iam:PassRole permissions for the role.

Create an IAM permissions policy attached to the role that allows access to DynamoDAdd a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.

Create an IAM permission policy attached to the role that allows access to Amazon EC2. Add a trust policy to the role that allows DynamoDB to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.

Create an IAM permissions policy attached to the role that allows access to DynamoDB. Add a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:GetRole permission for the role.

Explanations:

The trust policy should allow EC2 to assume the role, not DynamoDB. The permissions policy for the IAM group should allowiam:PassRole, butiam:GetRoleis not required.

The IAM role should have a trust policy allowing EC2 to assume the role. The permissions policy for the IAM group should includeiam:PassRoleto allow developers to pass the role to EC2 instances.

The trust policy should allow EC2, not DynamoDB, to assume the role. Also, the IAM role should allow DynamoDB access, not EC2 access.

The trust policy should allow EC2 to assume the role, not DynamoDB.iam:GetRolepermission is unnecessary for the IAM group. The correct permission isiam:PassRole.

2025-10-03

1 Comment

  1. Jeffrey
    Author

    I assess that the answer is:
    Create an IAM permissions policy attached to the role that allows access to DynamoDAdd a trust policy to the role that allows Amazon EC2 to assume the role. Attach a permissions policy to the development group in AWS IAM that allows developers to use the iam:PassRole permission for the role.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − 5 =