A company requires its EC2 instances to access S3 without using access keys. What is the recommended approach?

  1. Use S3 bucket policies only
  2. Create an IAM user and embed credentials in code
  3. Store access keys in environment variables
  4. Use an IAM role attached to the EC2 instance ✓

Correct answer: Use an IAM role attached to the EC2 instance

Option D is correct because IAM roles attached to EC2 instances provide temporary, automatically rotated credentials via the instance metadata service, eliminating the need to manage or store long-term access keys. Option A is incorrect because S3 bucket policies alone control access to the bucket but do not provide the EC2 instance with any identity or credentials to authenticate requests. Option B is incorrect because embedding IAM user credentials in code is a serious security anti-pattern, as keys can be leaked through source control or logs and are difficult to rotate. Option C is incorrect because storing access keys in environment variables is still a long-term credential management problem and does not leverage AWS's built-in short-lived credential rotation for compute resources.

Topic: · iam roles, ec2 instance profile, s3 access, least privilege

Practice AWS Solutions Architect Associate Questions Free