How should the application use AWS credentials to access the S3 bucket securely?

You have an application running on an EC2 Instance which will allow users to download flies from a private S3
bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the
file in S3.
How should the application use AWS credentials to access the S3 bucket securely?

You have an application running on an EC2 Instance which will allow users to download flies from a private S3
bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the
file in S3.
How should the application use AWS credentials to access the S3 bucket securely?

A.
Use the AWS account access Keys the application retrieves the credentials from the source code of the
application.

B.
Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the
instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.

C.
Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the
role, and retrieve the role’s credentials from the EC2 Instance metadata

D.
Create an IAM user for the application with permissions that allow list access to the S3 bucket. The
application retrieves the IAM user credentials from a temporary directory with permissions that allow read
access only to the application user.

← Previous question

Next question →

Leave a Reply 12

Nitin Kansal

C

Reply

Frank

Hi,

I would go for answer C

See also: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Regards,
Frank

========================
http://169.254.169.254/latest/meta-data/iam/security-credentials/

If there is an IAM role associated with the instance at launch, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role. Otherwise, not present.
========================

Reply

KwagongMakisig

C

Reply

Chef

You need a role for this! C.

Reply

Srinivasu Muchcherla

Answer : C
“EC2 Instance metadata”

Reply

Srinivasu M

C

Reply

swagata mondal

c

Reply

joe21

C

Reply

Mouhammad Yousuf

i assume that using a user is also possible while using a role is quite wider it terms of giving you the capability to associate the role with any other user in the future which will grant the same access level to the bucket however two magical words here are “Private bucket with preassigned URL” and” allow users with S in the end” so B and C are possible solutions which one of them would be the most correct answer i think it would be role and that is C

Reply

Allen

Initially, I thought the answer should be C. However, How can you “Launch the instance with the
role”? B is the possible solution as long as the IAM user credential could be set in user data.

Reply

Ashok

C is right because role based instance can access s3 bucket easily with security

Reply

Quang

C

When creating instances, there is an option to choose IAM role

Reply