AWS Exam Practice - AWS Certified Developer

A company requires that all applications on Amazon EC2 instances utilize IAM roles for accessing AWS services. A developer is refactoring an application that previously relied on IAM user access keys stored in a named profile within the ~/.aws/config file to interact with Amazon S3 using Boto3. The developer associated an IAM role with identical permissions to the EC2 instance, deleted the IAM user, and removed the default profile from the credentials file. After restarting the application, it began generating AccessDenied exceptions. The developer confirmed that they can execute S3 CLI commands on the instance using their personal AWS credentials.

What is the MOST probable cause of these exceptions?

Explanation

The correct answer is B. The application is configured to use a named profile specified in the ~/.aws/config file, which still references the old IAM user's access keys. Even though the IAM user was deleted and the default profile was removed, the named profile's configuration remains. Boto3, by default, uses credentials from the AWS configuration files unless explicitly overridden. Since the IAM user no longer exists, the access keys in the named profile are invalid, leading to AccessDenied exceptions. The CLI works with the developer's credentials because they are using a different profile or environment variables.

Why other options are incorrect:
- A: IAM policy propagation delays are unlikely to persist after application restart and CLI confirmation.
- C: Boto3 supports instance roles even with a config file; it falls back to instance metadata if credentials are not found.
- D: Security groups blocking S3 would affect CLI commands as well, which are working.

Question #775

Explanation

Answer