Answer – B
This is clearly mentioned in the AWS Documentation.
IAM Roles for Amazon EC2
Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances. You enable the applications on those instances to use your credentials to sign requests while protecting your credentials from other users. However, it`s challenging to securely distribute credentials to each instance, especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.
We designed IAM roles so that your applications can securely make API requests from your instances without requiring you to manage the security credentials that the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles as follows:
Create an IAM role.
Define which accounts or AWS services can assume the role.
Define which API actions and resources the application can use after assuming the role.
Specify the role when you launch your instance, or attach the role to a running or stopped instance.
Have the application retrieve a set of temporary credentials and use them.
Option A is incorrect because storing the keys in the S3 bucket is not a good practice, and it may cause security issues.
Option C is incorrect because storing the keys in the application could violate the security. If the source code for the application is hosted on GitHub, everyone can access the keys.
Option D is incorrect because it is unsuitable for storing keys as environment variables. It may cause security issues.
For more information on IAM Roles, please refer to the below URL-
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html