Question 14
Domain 2: Security and ComplianceWhen granting permissions to applications running on Amazon EC2 instances, which of the following is considered best practice?
Correct answer: C
Explanation
IAM roles are best practice because they “grant temporary security credentials for workloads that access your AWS resources.” The source also says to “Attach a role to an EC2 instance for access to S3” so applications “will not need credentials or access keys,” which follows least privilege and avoids long-term access keys.
Why each option is right or wrong
A. Generate new IAM access keys every time you delegate permissions.
B. Store the required AWS credentials directly within the application code.
C. Use temporary security credentials (IAM roles) instead of long-term access keys.
IAM roles are the AWS mechanism for granting temporary security credentials to workloads, and the IAM security guidance explicitly says to attach a role to an EC2 instance so applications can access S3 without credentials or access keys. That aligns with least privilege and avoids long-term access keys on the instance, which are persistent secrets and therefore a higher-risk choice for EC2-hosted applications.
D. Do nothing; Applications that run on Amazon EC2 instances do not need permission to interact with other AWS services or resources.