A developer needs an application running on an EC2 instance to read objects from an S3 bucket. Which approach follows AWS security best practices?
A) Create an IAM user with an access key and secret key, and hardcode the credentials into the application configuration file.
B) Store the IAM user’s access key and secret key in an environment variable on the instance.
C) Create an IAM role with the necessary S3 permissions and attach it to the EC2 instance.
D) Make the S3 bucket public so the application can access it without credentials.
Correct Answer: C
Explanation: IAM roles attached to EC2 instances provide temporary, automatically rotated credentials via the instance metadata service — no long-lived secrets are stored anywhere on the instance or in code. This is the AWS-recommended pattern for granting AWS service permissions to applications running on EC2.
Why the others are wrong: (A) and (B) both involve long-lived static credentials that can leak (via code repositories, logs, or instance compromise) and require manual rotation. (D) violates the principle of least privilege and exposes data publicly — never an acceptable substitute for proper IAM permissions.