Question #944
A developer is creating a web application hosted on an Amazon EC2 instance that requires read/write access to an Amazon RDS database. The developer must follow security best practices to grant the application access to the RDS database.
Which solution meets these requirements?
Create an IAM policy with the required permissions. Attach the policy to an IAM role. Associate the role with the EC2 instance profile.
Embed the permissions inline in an IAM group. Attach the group directly to the EC2 instance profile.
Create an IAM policy with the required permissions. Attach the policy to an IAM user. Link the user to the EC2 instance profile.
Create an IAM policy with the required permissions. Use IAM SAML identity federation to grant the EC2 instance access to the RDS database.
Explanation
Answer A is correct because:
1. IAM Roles for EC2: Assigning an IAM role to an EC2 instance via an instance profile allows the application to securely access AWS services (like RDS) without embedding credentials. Roles provide temporary credentials, reducing exposure risks.
2. Policy Attachment: The IAM policy defines the required RDS permissions, and attaching it to the role ensures least-privilege access.
Other options are incorrect because:
- B: IAM groups cannot be attached to EC2 instance profiles; groups are for users.
- C: IAM users with long-term credentials are insecure for EC2; roles are preferred.
- D: SAML federation is unnecessary here; it's used for external identity providers, not EC2-to-RDS access.
Key Points: Always use IAM roles for EC2 instances to enable secure, temporary credentials. Avoid hard-coding access keys.
Answer
The correct answer is: A