Q: 4
A company wants to migrate applications from its on-premises servers to AWS. As a first step, the
company is modifying and migrating a non-critical application to a single Amazon EC2 instance. The
application will store information in an Amazon S3 bucket. The company needs to follow security
best practices when deploying the application on AWS.
Which approach should the company take to allow the application to interact with Amazon S3?
Options
Discussion
C , but if this was a legacy workload needing static keys, D would flip to correct. Small details totally change it.
Its C, D tricks you into thinking it's okay but AWS best practices say use roles for EC2 access not static keys.
Every AWS exam seems to hammer this scenario. You'd think by now AWS would make it even clearer that IAM roles on EC2 (C) is the way, but they keep giving you A and D to trip people up. Roles give you temporary creds so no hardcoding, and you only grant S3 access not admin. I think C fits best practices here, but wouldn't mind hearing if anyone's ever seen a valid use for B or D lately.
Maybe C-using an IAM role with only the needed S3 permissions sticks to least privilege and avoids putting access keys in code. Admin access (A) works technically but isn't best practice, so that's why I think C is the way to go here. Open to other thoughts if I missed a scenario.
A is wrong, C. Pretty sure that's from the official guide and practice tests too.
A or C? If it's just about getting S3 access with minimal setup, A works too since admin is enough for all actions. But I think C is usually better practice because you avoid over-permission. Not sure the question strictly rules out A.
Option C makes sense since AWS IAM roles let the EC2 use S3 without any static credentials, which fits best practices. I think that's what they're after, but if the app was legacy maybe D would work. Anyone else see it differently?
Honestly, C is the way AWS wants you to do it. Attaching an IAM role with only S3 permissions to the EC2 instance keeps creds off the server and sticks with least privilege. D always tempts people but hardcoded keys are a trap for best practices. Pretty sure C wins for exam safety, but I'd hear arguments if someone has a real world edge case.
Gotta be C, that's standard AWS best practice for EC2-to-S3. IAM role with scoped permissions, no hardcoded keys at all.
Feels like C, Had something like this in a mock, and C is the only one using an IAM role with just the S3 permissions needed. Avoids hardcoding keys, lines up with AWS best practices for EC2 access. I think that's what they're looking for here but open if anyone sees it differently.
Be respectful. No spam.
