Exam AWS Certified Developer Associate All Questions

View all questions & answers for the AWS Certified Developer Associate exam

Exam AWS Certified Developer Associate topic 1 question 356 discussion

Exam question from Amazon's AWS Certified Developer Associate

Question #: 356
Topic #: 1

[All AWS Certified Developer Associate Questions]

A developer is working on an application that is deployed on an Amazon EC2 instance. The application needs to transfer a file to an Amazon S3 bucket.

What should the developer do to authenticate the application's access to the S3 bucket in the MOST secure way?

A. Create an access key for an IAM user. Store the access key in the application's environment variables.
B. Create an IAM role. Create an access key for the role. Store the access key in the application's environment variables.
C. Associate an IAM role with the EC2 instance. Use the instance metadata service to retrieve the credentials.
D. Configure a bucket policy for the S3 bucket. Allow access from the EC2 instance ID in the bucket policy.

Show Suggested Answer

Suggested Answer: D 🗳️

by k1kavi1 at Nov. 27, 2022, 10:44 a.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

a15ce96

1 year, 3 months ago

Selected Answer: D

The most logical approach is attaching the role to the EC2. Option C looks like this, but it states: "Use the instance metadata service to retrieve the credentials.". How metadata helps to do it? Metadata is not responsible for this. Since there's no more logical options, the only one that remains is D

upvoted 1 times

...

kyoharo

1 year, 7 months ago

Selected Answer: C

C. Associate an IAM role with the EC2 instance. Use the instance metadata service to retrieve the credentials.

upvoted 1 times

...

breadops

1 year, 10 months ago

Selected Answer: D

I have no idea why people think its C. EC2 instance metadata cannot be used to provide access to S3, or any other service. A quick read on what EC2 instance metadata service is will show you that, ignorance is bliss I guess.

upvoted 1 times

...

Ankit1010

2 years, 4 months ago

C The most secure way to authenticate an application's access to an S3 bucket from an EC2 instance is to associate an IAM role with the EC2 instance. The application running on the EC2 instance can then use the instance metadata service to retrieve the temporary security credentials that are associated with the role. This way, there is no need to create and store any long-term access keys or credentials in the application's environment variables. Therefore, option C is the correct answer.

upvoted 2 times

Ankit1010

2 years, 4 months ago

Option A is not a secure approach because access keys provide long-term access to AWS resources and storing them in the application's environment variables could expose them to unauthorized users. Option B is also not a secure approach because creating access keys for an IAM role defeats the purpose of using roles, which is to provide temporary security credentials that do not need to be managed or rotated. Option D is also not a secure approach because granting access based on the EC2 instance ID in a bucket policy can be circumvented by attackers who gain access to the instance or the credentials stored on it.

upvoted 1 times

...

mistral

2 years, 5 months ago

Selected Answer: C

C. Associate an IAM role with the EC2 instance. Use the instance metadata service to retrieve the credentials.

upvoted 2 times

mistral

2 years, 5 months ago

sing an IAM role associated with the EC2 instance (Option C) is the most secure way to authenticate the application's access to the S3 bucket, as compared to configuring a bucket policy (Option D). While a bucket policy allows access from the EC2 instance ID, it uses the instance ID as an identifier, which is not a secure way to manage access. Instead, it is better to use an IAM role, which is an AWS Identity that has specific permissions, and can be assumed by AWS services, such as EC2 instances, to access AWS resources. This approach provides a secure and flexible way to manage access to resources, without having to store credentials in the environment.

upvoted 1 times

mistral

2 years, 5 months ago

The instance metadata service is a feature of Amazon EC2 instances that provides information about the instance, such as the IAM role associated with it. The IAM role can be used to access AWS services and resources. When you associate an IAM role with an EC2 instance, the instance metadata service can be used to retrieve the temporary credentials for the role. These credentials can be used by the application running on the instance to access the S3 bucket. The temporary credentials are automatically rotated, providing an additional layer of security. By using the instance metadata service to retrieve the credentials, the application does not need to store the credentials in the environment or configuration files. This reduces the risk of the credentials being compromised or leaked. Instead, the application can simply make a request to the instance metadata service to retrieve the temporary credentials for the role, which are automatically managed and rotated by AWS.

upvoted 1 times

Tisja

2 years, 5 months ago

Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

upvoted 3 times

...