Question #795
A developer is building an application deployed on an Amazon EC2 instance that needs to write data to an Amazon DynamoDB table securely. What should the developer do to meet these requirements in the MOST secure way?
Create an IAM user with permissions to write to DynamoDB. Store the user's access key in the application's environment variables.
Create an IAM role with DynamoDB write permissions. Generate an access key for the role and store it in environment variables.
Create an IAM role with permissions to access the necessary DynamoDB API calls. Attach the role to the EC2 instance.
Configure the DynamoDB table's resource policy to allow access from the EC2 instance's ID.
Explanation
Option C is correct because IAM roles provide temporary security credentials dynamically to the EC2 instance, avoiding the risks of hardcoding long-term access keys (as in Option A). Roles are more secure than IAM users for EC2 applications because credentials automatically rotate. Option B is invalid because IAM roles do not use static access keys; they generate temporary tokens. Option D is incorrect because DynamoDB does not support resource-based policies tied to EC2 instance IDs—access is controlled via IAM policies. Key points: Use IAM roles for EC2 instances to grant permissions securely; avoid storing access keys; DynamoDB relies on IAM policies, not resource policies.
Answer
The correct answer is: C