Question #723
According to security best practices, how should an Amazon EC2 instance securely retrieve a list of objects from a private Amazon S3 bucket?
Embed an IAM user\u2019s access key and secret key in environment variables on the EC2 instance, then fetch the list.
Store the IAM user\u2019s credentials in a configuration file on the EC2 instance, read them during runtime, then access the bucket.
Assign an IAM role to the EC2 instance to grant temporary permissions for listing S3 objects.
Update the S3 bucket policy to allow public read access to the bucket contents indefinitely.
Explanation
Answer C is correct because IAM roles provide temporary, automatically rotated credentials to EC2 instances, eliminating the need to store long-term access keys (as in A and B), which pose security risks if exposed. Option D is insecure as it makes the S3 bucket publicly accessible, violating the requirement for private access. Key points:
1. IAM roles grant temporary permissions via AWS Security Token Service (STS).
2. Avoid embedding static credentials (access/secret keys) in code/config files.
3. S3 bucket policies should restrict access to authorized roles/users, not public access.
Answer
The correct answer is: C