AWS Certified SysOps Administrator - Associate Exam: Secure Setup of EC2 Instance for DynamoDB Access

Secure EC2 Instance Setup for DynamoDB Access

Prev Question Next Question

Question

You're planning to allow an Administrator to set up an EC2 Instance.

The EC2 Instance will host an application that would need access to a DynamoDB table.

Which of the following policy permissions is required to ensure that this implementation can be carried out securely? Choose 2 answers from the options given below.

Answers

A. A trust policy that allows the EC2 Instance to assume a role.

B. A trust policy that allows the user to assume a role.

C. An IAM permission policy that allows the user to assume a role.

D. An IAM permission policy that allows the user to pass a role.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and D.

This is mentioned in the AWS Documentation.

Options B and C are incorrect because the trust policy is used with AWS services to assume a role and the IAM permission policy is used with the user to pass a role.

For more information on IAM roles and pass roles, please refer to the below URL-

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

* A trust policy for the role that allows the service to assume the role. For example, you could attach the following trust policy to the role
with the UpdateAssumeRolePolicy action. This trust policy allows Amazon EC2 to use the role and the permissions attached to the role.

ag

"Version": "2012-10-17",
"Statement": {

"Sid": "TrustPolicyStatementThatAllowsEC2ServiceToAssumeTheAttachedRole",
Effect": "Allow",
"Principal": { "Service"
"Action": "sts:AssumeRole"

c2.amazonaws.com" },

* An IAM permissions policy attached to the IAM user that allows the user to pass only those roles that are approved. iam:PassRole
usually is accompanied by iam:GetRole so that the user can get the details of the role to be passed. In this example, the user can pass
only roles that exist in the specified account with names that begin with EC2-roles-for-XYZ-:

ag

"Version": "2012-10-17",
"Statement": [{
"Effect": “Allow”,
"Action": [
“iam:GetRole",
iam:PassRole”

1,

"Resource":

“arn:aws: iam: :<account-id>:role/EC2-roles-for-XYZ-*"

Ba)

To allow an Administrator to set up an EC2 instance that hosts an application that needs access to a DynamoDB table, the following two policies need to be created:

A trust policy that allows the EC2 instance to assume a role: This policy ensures that the EC2 instance can assume a role that has access to the DynamoDB table. When the EC2 instance assumes the role, it can then access the DynamoDB table using the permissions assigned to the role.
An IAM permission policy that allows the role to access the DynamoDB table: This policy grants the role the necessary permissions to access the DynamoDB table. The permissions must be scoped to only allow the actions required by the application and not more.

Now, let's examine the answer options:

A. A trust policy that allows the EC2 instance to assume a role. This is correct. The trust policy must allow the EC2 instance to assume a role with access to the DynamoDB table.

B. A trust policy that allows the user to assume a role. This is not relevant to the scenario as an EC2 instance is being used, not a user.

C. An IAM permission policy that allows the user to assume a role. This is not relevant to the scenario as an EC2 instance is being used, not a user.

D. An IAM permission policy that allows the user to pass a role. This is not relevant to the scenario as the EC2 instance will be assuming the role, not a user.

Therefore, the correct answers are A. A trust policy that allows the EC2 instance to assume a role and D. An IAM permission policy that allows the role to access the DynamoDB table.

Prev Question Next Question