A company runs an application on Amazon EC2 instances that must read objects from a specific Amazon S3 bucket. Developers currently store long-lived IAM user access keys in the application configuration file. A solutions architect must remove the static credentials while granting only the access the application needs. Which approach best meets these requirements?
- AAttach an IAM role to the EC2 instances with a policy that allows the s3:GetObject action on the specific bucket, and have the application use the role credentials. Correct
- BCreate an IAM user with an S3 read-only managed policy and embed its access key and secret key in the EC2 instance user data at launch.
- CAttach an IAM role to the EC2 instances that grants the AdministratorAccess managed policy so the application can reach the bucket without stored keys.
- DStore the IAM user access keys in AWS Secrets Manager and have the running application retrieve the same long-lived keys at startup.
Why A is correct: An instance profile role supplies automatically rotated temporary credentials and a scoped GetObject policy on one bucket grants least privilege without any static keys.
Why B is wrong: Moving the key to user data still relies on long-lived static credentials that can leak, so it fails the requirement to remove static credentials entirely.
Why C is wrong: A role does remove static keys, but AdministratorAccess grants far more than the read access needed and violates the least-privilege requirement badly.
Why D is wrong: Secrets Manager protects the keys at rest, but the application still authenticates with long-lived IAM user credentials rather than removing them as required.