In order to test a new service in production, you need to add several write permissions for an existing IAM role in an EC2 instance. This IAM role has been used by several other EC2 instances. How could you accomplish this securely?

Answer options:

A.Add an AWS managed policy for the IAM role.
B.Create another IAM role with the required permissions and delete the existing IAM role. Attach it to an EC2 instance to test.
C.Add an inline policy for the IAM role. Remove the policy after the testing is complete.
D.Create an IAM policy with the required permissions and attach it to a new IAM role. Add that new IAM role to the EC2 instance and test it.

Answer – D
Option A is incorrect because it should be a custom policy rather than an AWS managed policy.
Option B is incorrect because it is not appropriate to delete the existing role before the new role is fully tested.
Option C is incorrect because an inline policy is not very appropriate. It is better to use a custom-managed IAM policy so that it can be reused and easy to maintain. In most cases, AWS recommends that users use managed policies instead of inline policies. Please check the reference in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline.
Option D is CORRECT because you can create a custom policy with the required permission in an IAM role. While testing, the changes will not influence the other EC2 instances.
For more information on how to create IAM policies, please refer to the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html