Security And Identity Basics — AWS Developer (DVA-C02)
IAM Instance Roles Replace Access Keys on EC2
Storing IAM user access keys in an EC2 instance's environment variables or configuration files creates a long-lived credential that requires manual rotation and persists on disk if the instance is compromised. IAM instance roles attach to the instance through an instance profile and expose temporary credentials through the EC2 instance metadata service at 169.254.169.254/latest/meta-data/iam/security-credentials/. The AWS SDK retrieves and rotates those credentials automatically, with no key material stored on the instance. When an answer choice offers 'attach an IAM role via instance profile' against 'store access keys', the instance profile is correct every time an IAM role can satisfy the access pattern.
What This Pattern Tests
The exam tests foundational security knowledge. Root account should have MFA and no access keys. Human users should use Identity Center (SSO) with MFA, not IAM users with passwords. Services should use IAM roles with temporary credentials, never hardcoded access keys. Security groups are stateful firewalls at the instance level. NACLs are stateless firewalls at the subnet level. Encryption at rest should be enabled for all data stores. The trap is creating IAM users with access keys for applications (use roles) or assuming root account is for daily use (it is for account setup only).
Decision Axis
Security layer (identity vs. network vs. data encryption) determines the control. Least privilege applies to all layers.
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether the Lambda execution role's permission policy restricts both the action set (s3:GetObject only) and the resource scope (specific bucket ARN plus prefix path) versus granting an over-provisioned policy such as s3:* on '*' that satisfies functionality but violates least-privilege.
Domain Coverage
Difficulty Breakdown