Your team has developed an application and now needs to deploy that application onto an EC2 Instance. This application interacts with a DynamoDB table. Which of the following is the correct and MOST SECURE way to ensure that the application interacts with the DynamoDB table?

Answer options:

A.Create a role which has the necessary permissions and can be assumed by the EC2 instance.
B.Use the API credentials from an EC2 instance. Ensure the environment variables areupdated with the API access keys.
C.Use the API credentials from a bastion host. Make the application on the EC2 Instance send requests via the bastion host.
D.Use the API credentials from a NAT Instance. Make the application on the EC2 Instance send requests via the NAT Instance.

Answer – A
IAM roles are designed in such a way that your applications can securely make API requests from your instances without requiring you to manage the security credentials that the applications use.
Options B, C, and D are invalid because it is not secure to use API credentials from any EC2 instance. The API credentials can be tampered with. Hence it is not the ideal secure way to make API calls.
For more details on AWS Credentials, please refer below URLs-
https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey_API
For more information on IAM roles for EC2, please refer below URL-
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html