AWS Certified Solutions Architect - Associate / Question #1036 of 1019

Question #1036

A company is deploying a new analytics application. The application runs on three Amazon EC2 instances and uses an Amazon DynamoDB table for data storage. A solutions architect must ensure that the EC2 instances can access the DynamoDB table.

What should the solutions architect do to meet this requirement?

A

Create an IAM role that grants access to the DynamoDB table. Attach the role to the EC2 instances.

B

Create an IAM policy that grants access to the DynamoDB table. Attach the policy to the EC2 instances.

C

Create an IAM group that grants access to the DynamoDB table. Attach the group to the EC2 instances.

D

Create an IAM user that grants access to the DynamoDB table. Attach the user account to the EC2 instances.

Explanation

Answer A is correct because IAM roles are designed to grant permissions to AWS services like EC2. By creating a role with DynamoDB access and attaching it to the EC2 instances, the instances inherit temporary security credentials, ensuring secure and scalable access without hardcoding keys.

Why other options are incorrect:
- B: IAM policies cannot be directly attached to EC2 instances; they must be attached to roles, users, or groups.
- C: IAM groups are for organizing users, not for granting permissions to EC2 instances.
- D: Using IAM users with static credentials on EC2 is insecure and against AWS best practices.

Key Points:
1. Always use IAM roles for EC2 instances to enable secure, temporary credentials.
2. Policies define permissions but require attachment to roles/users/groups.
3. DynamoDB access requires explicit IAM permissions via roles for EC2 instances.

Answer

The correct answer is: A