Answer-first summary for fast verification
Answer: Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **IAM Roles for EC2 Instances**: The best practice for granting EC2 instances access to AWS services is to use IAM roles attached to instance profiles. This eliminates the need to manage credentials in the application. 2. **Instance Profile Association**: When you create an EC2 instance, you can associate an instance profile that contains an IAM role. The EC2 instance automatically retrieves temporary security credentials from the instance metadata service. 3. **Secure Credential Management**: This approach ensures that API credentials are never exposed in the CloudFormation template, user data, or application code. 4. **Read and Write Permissions**: The question states the application needs to "store and retrieve user data" which requires both read and write permissions, not just read permissions as in option A. **Why Option A is incorrect:** - It only provides read permissions, but the application needs both read and write access to DynamoDB tables. **Why Option C is incorrect:** - Using access and secret keys in the CloudFormation template (even as parameters) exposes credentials and violates the requirement of not exposing API credentials. - IAM user credentials are long-term and need to be rotated, which is less secure than using temporary credentials from IAM roles. **Why Option D is incorrect:** - Creating an IAM user and passing credentials through user data exposes credentials in the template and user data. - The GetAtt function cannot retrieve IAM user access keys in CloudFormation. - This approach is insecure and violates AWS security best practices. **Key AWS Concepts:** - **IAM Roles**: Provide temporary security credentials to AWS services and applications running on EC2 instances. - **Instance Profiles**: Containers for IAM roles that can be associated with EC2 instances. - **AWS Security Best Practices**: Always use IAM roles instead of access keys for EC2 instances to access AWS services.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A solutions architect is using an AWS CloudFormation template to deploy a three-tier web application. The web application consists of a web tier and an application tier that stores and retrieves user data in Amazon DynamoDB tables. The web and application tiers are hosted on Amazon EC2 instances, and the database tier is not publicly accessible. The application EC2 instances need to access the DynamoDB tables without exposing API credentials in the template.
What should the solutions architect do to meet these requirements?
A
Create an IAM role to read the DynamoDB tables. Associate the role with the application instances by referencing an instance profile.
B
Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances.
C
Use the parameter section in the AWS CloudFormation template to have the user input access and secret keys from an already-created IAM user that has the required permissions to read and write from the DynamoDB tables.
D
Create an IAM user in the AWS CloudFormation template that has the required permissions to read and write from the DynamoDB tables. Use the GetAtt function to retrieve the access and secret keys, and pass them to the application instances through the user data.