Which combination of steps will ensure that the application makes the API requests in the MOST secure manner?
(Choose two.)
Create an IAM user that has permissions to the S3 bucket. Add the user to an IAM group.
Create an IAM role that has permissions to the S3 bucket.
Add the IAM role to an instance profile. Attach the instance profile to the EC2 instance.
Create an IAM role that has permissions to the S3 bucket. Assign the role to an 1AM group.
Store the credentials of the IAM user in the environment variables on the EC2 instance.
Explanations:
Using IAM users and groups for EC2 instance access is not recommended for security reasons. IAM roles are preferred for instance-based permissions as they do not require managing credentials directly.
Creating an IAM role with permissions to access the S3 bucket is the most secure method. This role can be assumed by the EC2 instance to gain temporary access to the resources.
Attaching an IAM role to an instance profile and associating it with the EC2 instance ensures the application uses temporary credentials, following AWS best practices for instance security.
Assigning an IAM role to an IAM group is not valid. Roles should be assigned directly to EC2 instances, not groups, for them to function properly.
Storing IAM user credentials in environment variables introduces a security risk, as they could be exposed. Using IAM roles for EC2 instance access avoids this issue.
I opine that the answer is:
Create an IAM role that has permissions to the S3 bucket.