Temporary Access for AWS Resources on EC2 Instances | Cloud Practitioner Exam

Granting Temporary Access to AWS Resources on EC2 Instances

Question

To enable an application on an EC2 instance to perform some actions, the developer requires to grant access to the application for a few AWS resources.

The developer plans to provide his credential to the instance.

However, as the developer's credentials are long-term, the developer is looking for an alternate to reduce the security risk. What can the developer do in this scenario to enable applications on EC2 to get access to the required AWS resources temporarily?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A.

IAM roles facilitate access delegation to services/users that in general do not have access to AWS resources of your organization.

Users could assume the role (IAM Users) and/or services (AWS services) for getting temporary security credentials.

This can then be used to perform the required actions.

An IAM group is a service to grant/revoke/manage permissions on a collection of IAM users.

IAM tags add custom attributes to IAM users or roles.

IAM tags use key-value pairs.

Option A is CORRECT as the IAM role can enable applications on EC2 to get access to the required AWS resources temporarily.

Option B is INCORRECT because the IAM group is a collection of IAM Users and helps in access management.

Option C is INCORRECT because IAM tags are simply “labels” that add custom attributes to the users/roles.

Option D is INCORRECT because we can use IAM Roles in the scenario.

Reference:

https://aws.amazon.com/iam/features/manage-roles/ https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html

The correct answer to this question is A. Use "IAM Roles."

AWS Identity and Access Management (IAM) is a service that enables you to control access to AWS resources. IAM provides a variety of features, such as users, groups, roles, and policies, that allow you to manage permissions to AWS resources.

IAM roles are a secure way to grant permissions to entities that you trust. Roles are temporary credentials that are generated dynamically by AWS, and they allow an EC2 instance to access AWS services and resources without the need for long-term security credentials, such as access keys. IAM roles are assigned to an instance when it's launched, and the permissions associated with the role can be modified over time, without the need for manual updates to the instance.

When a developer creates an IAM role, they can specify the permissions that the role will have, and then associate the role with the EC2 instance. The developer can then provide the application on the EC2 instance with the temporary security credentials that are associated with the role, allowing the application to perform the necessary actions on the AWS resources.

Using IAM roles provides several benefits:

  1. Improved security - IAM roles reduce the risk of security breaches by eliminating the need to store long-term security credentials, such as access keys, on the instance.

  2. Simplified management - IAM roles simplify the management of permissions by allowing you to modify permissions associated with a role instead of manually updating permissions on each instance.

  3. Reduced human error - IAM roles reduce the risk of human error by automating the process of granting and revoking permissions.

In conclusion, the best way for the developer to enable applications on EC2 to get access to the required AWS resources temporarily is to use IAM roles. IAM roles provide temporary credentials that are associated with a set of permissions, and they eliminate the need for long-term security credentials. This improves security, simplifies management, and reduces the risk of human error.