Question #817
A company runs an application on an EC2 instance in one AWS account that needs to access an S3 bucket in another AWS account. The application does not currently have the necessary permissions. Which AWS service should be used to grant secure access without sharing credentials?
IAM user
IAM role
IAM policy
IAM Access Analyzer
Explanation
The correct answer is B (IAM role). IAM roles allow an EC2 instance in one AWS account to securely access resources (e.g., an S3 bucket) in another account without sharing credentials. Roles provide temporary security credentials, which are automatically rotated and managed by AWS. Here's why other options are incorrect:
- A (IAM user): Requires sharing long-term credentials (access keys), which is insecure and violates AWS best practices.
- C (IAM policy): Policies alone cannot grant access; they must be attached to a user, group, or role. The question requires a mechanism, not just permissions.
- D (IAM Access Analyzer): A tool for identifying unintended resource access, not granting permissions.
Key points: Use IAM roles for cross-account access, temporary credentials, and avoiding credential sharing.
Answer
The correct answer is: B