Best Way to Provide Application Access to Amazon S3 Bucket | SOA-C02 Exam Question

Correct Answer: D.

The AWS Documentation mentions the following.

Applications that run on an EC2 instance must include AWS credentials in their AWS API requests.

You could have your developers store AWS credentials directly within the EC2 instance and allow applications in that instance to use those credentials.

But developers would then have to manage the credentials and ensure that they securely pass the credentials to each instance and update each EC2 instance when it's time to rotate the credentials.

That's a lot of additional work.

Instead, you can and should use an IAM role to manage temporary credentials for applications that run on an EC2 instance.

When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an EC2 instance.

Instead, the role supplies temporary permissions that applications can use when making calls to other AWS resources.

When you launch an EC2 instance, you specify an IAM role to associate with the instance.

Applications that run on the instance can then use the role-supplied temporary credentials to sign API requests.

Options A and B are incorrect since using Access keys is not a secure way to allowing access to other resources.

Option C is incorrect since this should only be used for hosting a static website.

For more information on IAM Roles, please visit the below URL-

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

The best way to provide an application running on Amazon EC2 with access to an Amazon S3 bucket is by creating an IAM role with the necessary permissions and attaching it to the EC2 instance. This option is provided in answer D.

Option A is not a good choice because creating a new account with permissions to the S3 bucket and providing the access key ID and secret access key to the application developer can lead to potential security issues. The application developer would need to embed these credentials in the application code, which can be easily compromised.

Option B is also not a good choice because creating a new access key for the root user is not recommended as it can lead to potential security risks. The root user has unrestricted access to all resources in the account, and creating an access key for the root user can compromise the security of the account.

Option C is not a good choice because setting the bucket properties in “Static website hosting” to “use this bucket to host a website” is not relevant to the scenario. This option is used when you want to host a static website on S3, and it does not provide the application with access to the S3 bucket.

Therefore, creating an IAM role with the necessary permissions and attaching it to the EC2 instance running the application is the best option. An IAM role is an AWS identity that you can create in your account that has specific permissions to access AWS services and resources. By attaching the role to the EC2 instance, the instance can assume the role and access the S3 bucket without requiring any credentials to be embedded in the application code.

To create an IAM role, you need to follow these steps:

1. Open the IAM console in the AWS Management Console.
2. Click on "Roles" in the left navigation pane.
3. Click on "Create role".
4. Choose the "AWS service" as the trusted entity.
5. Choose "EC2" as the service that will use this role.
6. Click on "Next: Permissions".
7. Choose the policy that provides the necessary permissions for accessing the S3 bucket.
8. Click on "Next: Tags".
9. (Optional) Add tags to the role.
10. Click on "Next: Review".
11. Enter a name for the role.
12. Review the role details and click on "Create role".
13. Once the role is created, attach it to the EC2 instance by selecting the instance in the EC2 console, clicking on "Actions", choosing "Instance Settings", and then "Attach/Replace IAM role".