AWS Certified Cloud Practitioner

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.

Following the principle of least privilege, assigning an IAM role to an EC2 instance is the most secure method for granting permissions because it uses temporary credentials that are managed and rotated automatically by AWS. Option D correctly provisions an IAM role granting only the necessary actions (`sqs:SendMessage`, `sqs:ReceiveMessage`, `sqs:DeleteMessage`) unlike Option C, which overly provisions permissions by allowing `sqs:*`. Using long-term credentials (IAM user access keys) in options A and B introduces significant security risks.

Author: Ritesh Yadav

Quick Answer

Answer-first summary for fast verification

Author: Ritesh Yadav

Comments (0)

No comments yet.

Question #22
An Amazon EC2 instance is running an application that uses Amazon Simple Queue Service (Amazon SQS) queues. A CloudOps engineer must ensure that the application can read, write, and delete messages from the SQS queues.
Which solution will meet these requirements in the MOST secure manner?

Real Exam

Community

RRitesh

Last updated: April 30, 2026 at 11:35

Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Embed the IAM user's credentials in the application's configuration.

Create an IAM user with an IAM policy that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues. Export the IAM user's access key and secret access key as environment variables on the EC2 instance.

Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows sqs:* permissions to the appropriate queues.

Create and associate an IAM role that allows EC2 instances to call AWS services. Attach an IAM policy to the role that allows the sqs:SendMessage permission, the sqs:ReceiveMessage permission, and the sqs:DeleteMessage permission to the appropriate queues.