Which of the following items are required to allow an application deployed on an EC2 instance to write data to
a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2
answers)
A.
Create an IAM Role that allows write access to the DynamoDB table.
B.
Add an IAM Role to a running EC2 instance.
C.
Create an IAM User that allows write access to the DynamoDB table.
D.
Add an IAM User to a running EC2 instance.
E.
Launch an EC2 Instance with the IAM Role included in the launch configuration.
Explanation:
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TicTacToe.Phase3.html
A and E correct
Why E and not B:
Can I change the IAM role on a running EC2 instance?
No. At this time, you cannot change the IAM role on a running EC2 instance. You can change the permissions on the IAM role associated with a running instance, and the updated permissions take effect almost immediately
Source: https://aws.amazon.com/iam/faqs/
A and E.
AE
A : best practice is to create IAM role instead of configure running instance with access & secret key and profile (aws configure –profile)
E : you must attach role when you launch the instance, yo can’t do it with running instance.
I have the same idea. AE
Why not C & E, please suggest
see the Question : “Assume that no security keys are allowed to be stored on the EC2 instance.”
c will require to store credentials in the ec2 machine.
This has changed, you can now attach a IAM Role to existing EC2 instances
https://aws.amazon.com/about-aws/whats-new/2017/02/new-attach-an-iam-role-to-your-existing-amazon-ec2-instance/
Yes, A and E correct
However, A & B correct now “you can now attach a IAM Role to existing EC2 instances”