Which solution will meet these requirements?

By:
In: DVA-C02
Tagged:
With: 2 Comments
A developer is creating an application that reads and writes to multiple Amazon S3 buckets.The application will be deployed to an Amazon EC2 instance.The developer wants to make secure API requests from the EC2 instances without the need to manage the security credentials for the application.The developer needs to apply the principle of least privilege.

Which solution will meet these requirements?

Create an IAM user. Create access keys and secret keys for the user. Associate the user with an IAM policy that allows s3:* permissions.

Associate the EC2 instance with an IAM role that has an IAM policy that allows s3:ListBucket and s3:*Object permissions for specific S3 buckets.

Associate the EC2 instance with an IAM role that has an AmazonS3FullAccess AWS managed policy.

Create a bucket policy on the S3 bucket that allows s3:ListBucket and s3:*Object permissions to the EC2 instance.

Explanations:

Creating an IAM user with access keys and secret keys requires managing those credentials, which contradicts the requirement to make secure API requests without managing security credentials. This option does not follow the principle of least privilege as it grants broads3:*permissions.

Associating the EC2 instance with an IAM role that has a policy allowings3:ListBucketands3:*Objectpermissions for specific S3 buckets allows secure API requests without managing credentials. This approach follows the principle of least privilege by granting only the necessary permissions for the specified buckets.

Associating the EC2 instance with an IAM role that has theAmazonS3FullAccessmanaged policy grants excessive permissions (full access to all S3 resources), which violates the principle of least privilege. The developer should limit access to only the required S3 buckets and actions.

Creating a bucket policy to allows3:ListBucketands3:*Objectpermissions to the EC2 instance does not eliminate the need for managing security credentials. While it can restrict access, it does not provide a secure way to authenticate without using IAM roles associated with the instance.

2026-03-22

2 Comments

  1. Anthony
    Author

    I think the answer is:
    Associate the EC2 instance with an IAM role that has an IAM policy that allows s3:ListBucket and s3:*Object permissions for specific S3 buckets.

  2. Carolyn
    Author

    I believe the answer is:
    Associate the EC2 instance with an IAM role that has an IAM policy that allows s3:ListBucket and s3:*Object permissions for specific S3 buckets.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × one =