Q88 — AWS DVA-C02 Ch.3

Question 88 of 100 | ← Chapter 3

A developer is troubleshooting an application using Amazon DynamoDB in the us-west-2 Region. The application is deployed on an Amazon EC2 instance. The application requires read-only operations on a table named Cars. The EC2 instance is attached to an IAM role with the following IAM policy: {"Version":"2012-10-17"}

Correct Answer: C. Create a trust policy specifying the EC2 service principal. Associate the role with the policy.

Explanation

This question tests understanding of AWS IAM policies. The developer must ensure the application on the EC2 instance can perform read-only operations on the DynamoDB table. Option A proposes modifying the Resource field, but the original policy already uses "*", covering all resources—no change needed. Option B suggests granting all DynamoDB actions, exceeding the read-only requirement and introducing unnecessary security risk. Option D references a trust relationship with dynamodb.amazonaws.com, but the IAM role is already attached to the EC2 instance, meaning the required trust relationship with ec2.amazonaws.com already exists. Option C is correct: creating a trust policy specifying the EC2 service principal (ec2.amazonaws.com) and associating it with the role ensures the EC2 instance assumes the role and obtains appropriate read-only permissions.