A developer has created a script that accesses an S3 bucket.
The script will run on an EC2 Instance at regular intervals.
What is the authentication mechanism that should be employed to ensure that the script works as desired?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B.
The AWS Documentation mentions the following.
You have an application or AWS CLI scripts running on an Amazon EC2 instance.
Do not pass an access key to the application, embed it in the application, or have the application read a key from a source such as an Amazon S3 bucket (even if the bucket is encrypted)
Instead, define an IAM role with appropriate permissions for your application and launch the Amazon EC2 instance with roles for EC2
This associates an IAM role with the Amazon EC2 instance and lets the application get temporary security credentials that it can, in turn, use to make AWS calls.
The AWS SDKs and the AWS CLI can get temporary credentials from the role automatically.
All other options are incorrect since the most secure way is to create and use IAM Roles.
For more information on best practices for Access Keys, please refer to the below URL-
https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.htmlThe correct answer to the question is B. Create an IAM Role. Ensure the IAM Role has access to the S3 bucket via IAM policies. Attach the role to the instance.
Explanation: To access an S3 bucket from an EC2 instance, you need to have credentials with sufficient permissions to access the S3 bucket. However, embedding credentials in the script or the code is not recommended as it is a security risk. Instead, AWS provides an authentication mechanism that is more secure and convenient - IAM Roles.
IAM Roles are a secure way to grant temporary permissions to AWS services or EC2 instances to access other AWS services. IAM Roles are preferred over IAM Users because they do not require the management of long-term access keys. IAM Roles can be assigned to an EC2 instance during its launch or after the instance is running.
To create an IAM Role that can access the S3 bucket, you will need to create an IAM policy that defines the permissions required to access the S3 bucket. Once the policy is created, you can create an IAM Role and attach the policy to the role. You can then assign the IAM Role to the EC2 instance. The IAM Role will be used to provide temporary credentials to the EC2 instance to access the S3 bucket.
In summary, embedding credentials in the script or code is not recommended as it is a security risk. The recommended way to access an S3 bucket from an EC2 instance is to use an IAM Role. An IAM Role provides temporary credentials to the EC2 instance to access the S3 bucket.