An administrator uses Amazon CloudFormation to deploy a three-tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage. While creating the CloudFormation template, which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?

Answer options:

A.Create an IAM role that only has the read permissions for the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
B.Use the Parameter section in the Cloud Formation template to have the user input Access and Secret Keys from an already created IAM user that has permissions required to read and write from the required DynamoDB table.
C.Create an IAM Role that has the required permission to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
D.Create an Identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.

Answer – C
The scenario requires the instance to have access to DynamoDB tables without having to use the API credentials. In such scenarios, always think of creating IAM Roles rather than IAM Users.
Option A is incorrect because the IAM Role needs both the read and the write access to the DynamoDB table.
Option B is incorrect because (a) you should never expose the Access and Secret Keys while accessing the AWS resources, and (b) using IAM Role is the more secure way of accessing the resources than using IAM Users with security credentials.
Option C is CORRECT. Instance profiles (with the correct roles) can be referenced in cloud formation templates. These instance profiles are created manually with the correct roles associated with them and can be reused on multiple instances. Pre-building instance profiles can provide standardization in naming across the entire infrastructure.
Option D is incorrect because (a) you should never expose the Access and Secret Keys while accessing the AWS resources, (b) using IAM Role is the more secure way of accessing the resources than using IAM Users with security credentials.
For more information on granting access to AWS resources via EC2 instance profile property, please visit the below URL-
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-roles.html
For more information on adding IAM roles in CloudFormation templates, please visit the below URL-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html