Accessing DynamoDB Tables in a Three-Tier Web Application

Answer - C.

The scenario requires the instance to have access to DynamoDB tables without having to use the API credentials.

In such scenarios, always think of creating IAM Roles rather than IAM Users.

Option A is incorrect because the IAM Role needs both the read and the write access to the DynamoDB table.

Option B is incorrect because (a) you should never expose the Access and Secret Keys while accessing the AWS resources, and (b) using IAM Role is the more secure way of accessing the resources than using IAM Users with security credentials.

Option C is CORRECT.

Instance profiles (with the correct roles) can be referenced in cloud formation templates.

These instance profiles are created manually with the correct roles associated with them and can be reused on multiple instances.

Pre-building instance profiles can provide standardization in naming across the entire infrastructure.

Option D is incorrect because (a) you should never expose the Access and Secret Keys while accessing the AWS resources, (b) using IAM Role is the more secure way of accessing the resources than using IAM Users with security credentials.

For more information on granting access to AWS resources via EC2 instance profile property, please visit the below URL-

https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-roles.html

For more information on adding IAM roles in CloudFormation templates, please visit the below URL-

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

The best way to allow the application instance access to the DynamoDB tables without exposing API credentials is by creating an IAM role that has the necessary permissions to read and write from the required DynamoDB table and then associating that role to the application instances by referencing an instance profile.

Option A: This is the recommended approach. Creating an IAM role with read-only permissions for the required DynamoDB table and associating the role to the application instances using an instance profile allows the application to access the table securely without exposing any API credentials.

Option B: Using the Parameter section to have the user input Access and Secret Keys from an already created IAM user that has the permissions required to read and write from the required DynamoDB table is not recommended. This approach exposes the API credentials to the user, which is a security risk.

Option C: Creating an IAM role with the required permissions to read and write from the required DynamoDB table and associating the role to the application instances by referencing an instance profile is the recommended approach.

Option D: Creating an Identity and Access Management (IAM) user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, using the GetAtt function to retrieve the Access and secret keys, and passing them to the application instance through user-data is not recommended. This approach exposes the API credentials to the application instance, which is a security risk.

In conclusion, Option A is the best approach to allow the application instance access to the DynamoDB tables without exposing API credentials.