When an application on an EC2 instance needs to access Amazon S3, which is the MOST recommended way to grant permissions securely with temporary credentials without embedding access keys in the code?
A question asking the recommended way to grant permissions to an EC2 app securely.
Write the root user's access key in the code.
The root user has the most powerful privileges in the account, and embedding its credentials in code is extremely dangerous.
The damage if leaked is enormous, and it is the opposite of a recommended method, so it is incorrect.
Assign an IAM role to the EC2 instance.
This is correct. When an IAM role is assigned to EC2, the app automatically obtains temporary credentials to access S3. There is no need to embed access keys in the code, and the credentials are rotated automatically, which is secure. This is the best practice.
Hard-code an IAM user's access key in the code.
Even an IAM user's access key, when written directly in code, has a high risk of leakage and is troublesome to rotate.
It does not meet the requirement to safely use temporary credentials, so it is incorrect.
Allow access with a security group.
A security group is a firewall that controls traffic (ports and IPs), not a mechanism that grants permissions (authentication/authorization) to AWS services.
It cannot be used to grant permissions to S3, so it is incorrect.
"Access AWS services from EC2," "do not embed keys," and "temporary credentials" point to the standard answer: an IAM role. Hard-coding the root key or access keys is forbidden. A security group controls traffic, not permission granting.