Question 104:
A large telecom company is using AWS infrastructure for its web application & data storage applications. As a SysOps Administrator, you have created a separate IAM user group based upon departments in the company. Earlier users in the DevOps department used to launch EC2 instance & save all data in the EFS store. Due to the cost-cutting exercise, users are asked to save all data in S3 buckets instead of EFS. For this,user’s in the DevOps team should have permission to launch an EC2 instance with roles to access S3 buckets for savings files. These users should not be able to grant additional roles from these EC2 instances. Which of the following Policy statement can be configured to meet the least access privilege?
Answer options:
A.Create an IAM policy that allows iam: PassRole to users in the DevOps team to launch EC2 instance & create an additional statement allowing full permission to associate only the S3 access role with the instance. B.Create an IAM policy that allows full permission to users in the DevOps team to launch the EC2 instance & create an additional statement allowing full permission to associate only the S3 access role with the instance. C.Create an IAM policy that allows full permission to users in the DevOps team to launch EC2 instance & create an additional statement allowing full permission to associate all roles within the instance. D.Create an IAM policy that allows full permission to users in the DevOps team to launch EC2 instance & create an additional statement allowing iam: PassRole to associate only the S3 access role with the instance.