Which combination of steps will ensure that the application makes the API requests in the MOST secure manner?
(Choose two.)
Create an IAM user that has permissions to the S3 bucket. Add the user to an IAM group.
Create an IAM role that has permissions to the S3 bucket.
Add the IAM role to an instance profile. Attach the instance profile to the EC2 instance.
Create an IAM role that has permissions to the S3 bucket. Assign the role to an IAM group.
Store the credentials of the IAM user in the environment variables on the EC2 instance.
Explanations:
Creating an IAM user with permissions to the S3 bucket is not ideal for an EC2 instance. IAM users require managing credentials and are less secure than roles for instance-based access.
Creating an IAM role with permissions to the S3 bucket is a secure way to allow the EC2 instance to access the S3 bucket without embedding credentials.
Adding the IAM role to an instance profile and attaching it to the EC2 instance allows the instance to use the role securely, providing temporary credentials for accessing the S3 bucket.
Assigning a role to an IAM group does not apply to the EC2 instance directly. Roles should be assigned to instances via instance profiles, not groups.
Storing IAM user credentials in environment variables on the EC2 instance is insecure. This approach exposes credentials and increases the risk of unauthorized access.
In my opinion, the answer is:
Create an IAM role that has permissions to the S3 bucket.