AWS Solutions Architect Associate Practice Test

What configuration should a company use to protect AWS credentials from being compromised?

• A. Enable Multi-Factor Authentication for your AWS root account
• B. Assign an IAM role to the Amazon EC2 instance
• C. Store the AWS Access Key ID/Secret Access Key combination in software comments
• D. Assign an IAM user to the Amazon EC2 Instance

The correct answer is: Assign an IAM role to the Amazon EC2 instance

Using an IAM role with an Amazon EC2 instance is the best configuration to protect AWS credentials from being compromised. When an IAM role is assigned to an EC2 instance, it facilitates secure access to AWS resources without the need to embed access keys or secrets in the instance's code or configurations. IAM roles provide temporary security credentials that are automatically rotated and managed by AWS, meaning that the instance can securely obtain the necessary permissions to interact with other AWS services without exposing sensitive information. This minimizes the risk of credentials being leaked through hard-coded values in applications, logs, or comments in the software, which are common vectors for credential exposure. Assigning IAM roles is not only more secure but also aligns with best practices for AWS. It reduces operational overhead since you do not have to handle the lifecycle of access keys manually, and it makes it easier to manage permissions and revoke access if necessary without needing to update or replace credentials in your applications. Choosing to enable Multi-Factor Authentication (MFA) for a root account enhances security but does not protect credentials within EC2 instances themselves. Similarly, assigning an IAM user to an EC2 instance or storing access keys in software comments would expose sensitive credentials and is not considered secure.