Using an AWS CloudFormation template, a solutions architect deploys a three-tier web application. The web and application tiers run on EC2 instances, and the database tier is not publicly accessible. The application instances need to access Amazon DynamoDB without exposing API credentials in the template. What should the architect do?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an IAM role that has the required permissions to read and write from the DynamoDB tables. Add the role to the EC2 instance profile, and associate the instance profile with the application instances..
Why this is the answer
The correct approach is to use an IAM role associated with an instance profile. This is the most secure and recommended method for granting permissions to EC2 instances. By attaching an IAM role to the EC2 instances, applications running on those instances can automatically assume the permissions defined in the role without needing to store or manage AWS credentials directly on the instances or in the CloudFormation template. This eliminates the risk of exposing sensitive API credentials. The other options are less secure or not recommended: The first incorrect option is too restrictive; the application likely needs both read and write access, not just read. Using parameters for access and secret keys or creating an IAM user and passing keys via user data are insecure practices. Storing credentials directly in templates or passing them through user data exposes them to potential compromise and violates the principle of least privilege.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed