Answer – A
The best practice for IAM is to create roles that have specific access to an AWS service and then give the user permission to the AWS service via the role.
For the best practices on IAM policies, please visit the links
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
Note:
As per AWS,
When you launch an EC2 instance, you specify an IAM role to associate with the instance. Applications that run on the instance can then use the role-supplied temporary credentials to sign API requests.
Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, an additional step is needed to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications. This extra step is the creation of an instance profile that is attached to the instance. The instance profile contains the role and can provide the role`s temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application`s API calls to access resources and limit access to only those resources that the role specifies. Note that, only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
The example given here shows how the application retrieves role permissions from the instance for accessing the bucket.
