Which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?
Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table.
Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.
Create an identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.
Explanations:
This option creates an IAM Role with appropriate permissions and associates it with the application instance via an instance profile. This allows the application to access DynamoDB securely without exposing API credentials.
The use of user-provided Access and Secret Keys is not recommended as it involves hardcoding sensitive information, which can expose API credentials.
The IAM Role should be associated with the instance profile, not referenced directly in the instance profile property. The correct approach is to use an instance profile, not reference the role directly.
Using IAM user credentials (Access and Secret Keys) within user-data is insecure and exposes credentials. It is not recommended to pass API keys through user-data.
From what I’ve seen, the answer is:
Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.