Your team developed and deployed a java application on an EC2 Instance. To test the application, you were given access credentials through keys using environment variables. This gave you the permissions to write to an S3 bucket. Once the testing was confirmed, an IAM role was assigned to the instance. This role only has permissions to read, but you notice that the application still has access to write to the S3 bucket. What could be the reason?

Answer options:

A.You need to restart the instance for the role settings to take effect.
B.The environment variables which were set for SDK access are taking priority.
C.The CLI is corrupted, hence the credentials are not being revoked.
D.The EBS volume needs to be reattached again for the instance profile to take effect.

Answer – B
Below is an excerpt from the documentation on how the credentials are evaluated when it comes to access. So when using the CLI, if the environment variables were set with the Access Keys, they would take preference over the IAM Role.
To make requests to Amazon Web Services, you must supply AWS credentials to the AWS SDK for Java. You can do this in the following ways:
- Use the default credential provider chain (recommended).
- Use a specific credential provider or provider chain (or create your own).
- Supply the credentials yourself. These can be root account credentials, IAM credentials, or temporary credentials retrieved from AWS STS.
Using the Default Credential Provider Chain
When you initialize a new service client without supplying any arguments, the AWS SDK for Java attempts to find AWS credentials using the default credential provider chain implemented by the DefaultAWSCredentialsProviderChain class. The default credential provider chain looks for credentials in this order.
Environment variables-
AWS_ACCESS_KEY_ID
 and 
AWS_SECRET_ACCESS_KEY
. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.
Java system properties-
aws.accessKeyId
 and 
aws.secretKey
. The AWS SDK for Java uses the SystemPropertiesCredentialsProvider to load these credentials.
Web Identity Token credentials from the environment or container.
The default credential profiles file- typically located at 
~/.aws/credentials
 (location can vary per platform), and shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials.
Amazon ECS container credentials- loaded from the Amazon ECS if the environment variable 
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
 is set. The AWS SDK for Java uses the ContainerCredentialsProvider to load these credentials. You can specify the IP address for this value.
Instance profile credentials- used on EC2 instances, and delivered through the Amazon EC2 metadata service. The AWS SDK for Java uses the InstanceProfileCredentialsProvider to load these credentials. You can specify the IP address for this value.
Options A and D are incorrect since the IAM Role is instantly applied to the EC2 Instance.
Option C is incorrect because even if the CLI is corrupted. This would still not be the cause of the underlying issue.
For more information on an example of how credentials are evaluated, please refer to the below URL-
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html