Which solution will allow least privilege access to the DynamoDB table from the EC2 instance?
Create an IAM role with the appropriate policy to allow access to the DynamoDB table. Create an instance profile to assign this IAM role to the EC2 instance.
Create an IAM role with the appropriate policy to allow access to the DynamoDB table. Add the EC2 instance to the trust relationship policy document to allow it to assume the role.
Create an IAM user with the appropriate policy to allow access to the DynamoDB table. Store the credentials in an Amazon S3 bucket and read them from within the application code directly.
Create an IAM user with the appropriate policy to allow access to the DynamoDB table. Ensure that the application stores the IAM credentials securely on local storage and uses them to make the DynamoDB calls.
Explanations:
Creating an IAM role with the appropriate policy and assigning it to the EC2 instance via an instance profile is the best practice for granting least privilege access. This method allows the EC2 instance to assume the role and access the DynamoDB table without hardcoding credentials.
Although creating an IAM role is a good approach, adding the EC2 instance to the trust relationship policy document is not necessary. Trust relationships are typically used for cross-account access or for allowing other AWS services to assume the role, not for the instance itself. The role should be assigned through an instance profile instead.
Creating an IAM user and storing credentials in an S3 bucket poses security risks. This method does not follow best practices for least privilege and credential management, as it can expose credentials to unauthorized access. Additionally, using an IAM user for EC2 instances is not ideal compared to using roles.
Similar to option C, creating an IAM user and storing credentials on local storage is insecure and not recommended. This approach increases the risk of credential exposure and does not utilize the benefits of IAM roles, which offer a more secure way to manage permissions for EC2 instances.
I infer that the answer is:
Create an IAM role with the appropriate policy to allow access to the DynamoDB table. Create an instance profile to assign this IAM role to the EC2 instance.