Question #720
A developer is troubleshooting an application that uses Amazon S3 in the us-east-1 Region. The application is deployed to an Amazon EC2 instance. The application requires read-only permissions to a bucket named project-data. The EC2 instance has an attached IAM role that contains the following IAM policy:json<br>{<br> "Version": "2012-10-17",<br> "Statement": [<br> {<br> "Sid": "ReadOnlyS3Actions",<br> "Effect": "Allow",<br> "Action": [<br> "s3:GetObject",<br> "s3:ListBucket",<br> "s3:GetBucketLocation"<br> ],<br> "Resource": [<br> "arn:aws:s3:::project-data",<br> "arn:aws:s3:::project-data/*"<br> ]<br> }<br> ]<br>}<br>
When the application tries to access the project-data bucket, an Access Denied error occurs.
How can the developer resolve this error?
Modify the IAM policy resource to include \"arn:aws:s3:::*\".
Modify the IAM policy to include the \"s3:*\" action.
Create a trust policy that specifies the EC2 service principal. Associate the role with the policy.
Create a trust relationship between the role and \"s3.amazonaws.com\".
Explanation
The error occurs because the IAM role's trust policy does not allow the EC2 service principal (ec2.amazonaws.com) to assume the role. IAM roles require a trust relationship specifying which entities (like EC2) can use them. The existing policy grants correct S3 permissions, but the EC2 instance cannot apply them without the proper trust policy.
- Option C resolves this by creating a trust policy for the EC2 service principal.
- Option A/B are incorrect because the policy already has sufficient permissions/resources.
- Option D is irrelevant since S3 does not assume roles; the EC2 instance does.
Key Point: Always ensure IAM roles have a trust policy allowing the correct service (e.g., EC2) to assume them.
Answer
The correct answer is: C