Question #1036
A company is deploying a new analytics application. The application runs on three Amazon EC2 instances and uses an Amazon DynamoDB table for data storage. A solutions architect must ensure that the EC2 instances can access the DynamoDB table.
What should the solutions architect do to meet this requirement?
Create an IAM role that grants access to the DynamoDB table. Attach the role to the EC2 instances.
Create an IAM policy that grants access to the DynamoDB table. Attach the policy to the EC2 instances.
Create an IAM group that grants access to the DynamoDB table. Attach the group to the EC2 instances.
Create an IAM user that grants access to the DynamoDB table. Attach the user account to the EC2 instances.
Explanation
Answer A is correct because IAM roles are designed to grant permissions to AWS services like EC2. By creating a role with DynamoDB access and attaching it to the EC2 instances, the instances inherit temporary security credentials, ensuring secure and scalable access without hardcoding keys.
Why other options are incorrect:
- B: IAM policies cannot be directly attached to EC2 instances; they must be attached to roles, users, or groups.
- C: IAM groups are for organizing users, not for granting permissions to EC2 instances.
- D: Using IAM users with static credentials on EC2 is insecure and against AWS best practices.
Key Points:
1. Always use IAM roles for EC2 instances to enable secure, temporary credentials.
2. Policies define permissions but require attachment to roles/users/groups.
3. DynamoDB access requires explicit IAM permissions via roles for EC2 instances.
Answer
The correct answer is: A