Question #911
A developer is running an application on an Amazon EC2 instance. When the application attempts to write data to an Amazon DynamoDB table, the operation fails. The developer identifies that the IAM role attached to the EC2 instance does not have the required DynamoDB write permissions. The developer needs to grant the application the ability to write to the DynamoDB table with minimal downtime.
Which solution ensures the application can write to the DynamoDB table with the LEAST disruption?
Update the IAM role with the necessary permissions. Terminate the current EC2 instance and deploy a new instance with the updated role.
Add the DynamoDB write permission to the IAM role; the change will apply automatically without further action.
Modify the IAM role to include the permission. Hibernate the EC2 instance and restart it to apply the change.
Adjust the DynamoDB table's resource policy to allow access. Restart the EC2 instance to refresh permissions.
Explanation
Answer B is correct because IAM roles dynamically propagate permission changes to associated resources. When the IAM role is updated with DynamoDB write permissions, the EC2 instance automatically receives the updated credentials via the instance metadata service (which refreshes credentials periodically). No instance restart or termination is required, ensuring minimal disruption.
Incorrect Answers:
- A: Terminating the EC2 instance causes unnecessary downtime and operational overhead.
- C: Hibernating/restarting the EC2 instance is not required for IAM role updates to take effect.
- D: DynamoDB does not use resource-based policies; access is controlled via IAM roles. Restarting the EC2 instance is also unnecessary.
Key Points:
1. IAM role changes apply automatically to EC2 instances without restarting.
2. EC2 instances use temporary credentials refreshed every few hours.
3. DynamoDB permissions are managed via IAM policies, not resource policies.
Answer
The correct answer is: B