Which policy must the developer modify to allow the instances to write these objects?
The IAM policy that is attached to the EC2 instance profile role.
The session policy that is applied to the EC2 instance role session.
The AWS Key Management Service (AWS KMS) key policy that is attached to the EC2 instance profile role.
The Amazon VPC endpoint policy.
Explanations:
The EC2 instances require permissions to interact with S3. The IAM policy attached to the EC2 instance profile role governs the permissions for the instances, including actions such as writing objects to an S3 bucket.
The session policy applies only to a temporary session and typically does not govern the persistent permissions needed for EC2 instances to interact with S3. The instance role’s policy is the correct place to configure these permissions.
The AWS KMS key policy controls access to KMS resources, not S3 permissions directly. The key policy would only be relevant if the EC2 instances need to encrypt or decrypt objects in S3 using KMS, but the policy still wouldn’t grant S3 write permissions.
The VPC endpoint policy governs access to AWS services through the VPC endpoint. It would control access to the S3 service over the VPC endpoint but does not directly grant write permissions to S3 objects. The IAM role of the EC2 instance handles this.
I draft that the answer is:
The IAM policy that is attached to the EC2 instance profile role.