Skip to main content
  1. Home
  2. >
  3. AWS
  4. >
  5. SAA-C03
  6. >
  7. This article

AWS SAA-C03 Drill: EC2-to-S3 Access Control - The Identity Model Trade-off

·799 words·4 mins·
Architecture Drills AWS SAA-C03 FinOps Decision Matrix IAM EC2 S3 VPC Security Best Practices
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AWS SAA-C03, many candidates confuse IAM entities (Roles, Users, Policies, Groups). In the real world, this is fundamentally a decision about credential lifecycle management vs. operational overhead. Let’s drill into a simulated scenario.

The Scenario
#

CloudRetail Inc. operates a three-tier e-commerce platform on AWS. The architecture consists of:

  • Web Tier: NGINX reverse proxies running on EC2 instances in public subnets
  • Application Tier: Java Spring Boot microservices on EC2 instances in private subnets
  • Data Tier: PostgreSQL RDS instances in isolated private subnets

The application tier needs to store customer-uploaded product reviews (images and text) in an S3 bucket named cloudretail-reviews-prod. Currently, the application servers cannot access S3, blocking a critical feature launch.

Key Requirements
#

Enable secure, auditable access from EC2 instances (both web and application tiers) to the S3 bucket without embedding long-term credentials in application code or configuration files.

The Options
#

  • A) Create an IAM Role with S3 bucket access permissions, then attach the role to the EC2 instances.
  • B) Create an IAM Policy with S3 bucket access permissions, then attach the policy directly to the EC2 instances.
  • C) Create an IAM Group with S3 bucket access permissions, then attach the group to the EC2 instances.
  • D) Create an IAM User with S3 bucket access permissions, then attach the user account credentials to the EC2 instances.

Correct Answer
#

Option A.

The Architect’s Analysis
#

Correct Answer
#

Option A: IAM Role attached to EC2 instances

Step-by-Step Winning Logic
#

This solution represents the AWS-recommended identity federation pattern for compute resources:

  1. Automatic Credential Management: EC2 instances assume the role via the Instance Metadata Service (IMDSv2), receiving temporary credentials that auto-rotate every 6 hours.
  2. Zero Credential Exposure: No access keys exist in code repositories, environment variables, or configuration management systems.
  3. Least Privilege Enforcement: The role can be scoped precisely to required S3 actions (s3:PutObject, s3:GetObject) on specific bucket ARNs.
  4. Audit Trail: CloudTrail logs every API call with the role session name, enabling forensic analysis.

Cost Impact: No additional charge for IAM Roles (service is free). Prevents potential breach costs (average $4.35M per incident according to IBM Security 2024).

The Traps (Distractor Analysis)
#

Why not Option B (IAM Policy directly to EC2)?
#

  • Technical Impossibility: IAM Policies cannot be attached directly to EC2 instances. Policies are documents that must be attached to identities (Users, Groups, or Roles). This is a fundamental misunderstanding of the AWS IAM model.
  • Exam Trap: Tests whether you understand that policies are permission documents, not identity containers.

Why not Option C (IAM Group)?
#

  • Entity Type Mismatch: IAM Groups are collections of IAM Users (human identities). EC2 instances are service principals, not users.
  • Architectural Anti-Pattern: Attempting to use human identity constructs for machine identities violates the principle of separation of concerns.

Why not Option D (IAM User with credentials)?
#

  • Security Risk: Requires embedding long-term access keys (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY) in:
    • Application configuration files (risk of Git commits)
    • Environment variables (visible in process listings)
    • Secrets managers (adds complexity)
  • Operational Overhead:
    • Manual key rotation required every 90 days (compliance requirement)
    • Incident response complexity if keys are leaked
    • No automatic expiration mechanism
  • Cost: Adds 8-12 hours/year per application for credential lifecycle management (estimated $1,200-$1,800 in engineering time at $150/hr blended rate).

The Architect Blueprint
#

graph TB User([End User]) -->|HTTPS| ALB[Application Load Balancer] ALB --> WebEC2[Web Tier EC2<br/>Public Subnet] WebEC2 -->|Internal API| AppEC2[App Tier EC2<br/>Private Subnet] AppEC2 -.->|Assumes| Role[IAM Role:<br/>cloudretail-app-s3-role] Role -.->|Grants| Policy[IAM Policy:<br/>s3:PutObject/GetObject] AppEC2 -->|Temporary Creds<br/>Auto-Rotated| S3[S3 Bucket:<br/>cloudretail-reviews-prod] AppEC2 --> RDS[(RDS PostgreSQL<br/>Private Subnet)] style Role fill:#FF9900,stroke:#232F3E,stroke-width:3px,color:#fff style Policy fill:#7AA116,stroke:#232F3E,stroke-width:2px style S3 fill:#569A31,stroke:#232F3E,stroke-width:2px style AppEC2 fill:#FF9900,stroke:#232F3E,stroke-width:2px

Diagram Note: EC2 instances automatically assume the IAM Role via instance profile, receiving temporary credentials from STS that refresh every 6 hours without application intervention.

Real-World Practitioner Insight
#

Exam Rule
#

For the SAA-C03 exam: When you see “EC2 needs to access AWS service,” always choose IAM Role. Any option mentioning “IAM User credentials” or “access keys” is automatically incorrect for compute resources.

Real World
#

In production environments, we enhance this pattern with:

  1. Instance Profile Naming Convention: Use {service}-{environment}-{function}-role (e.g., ecommerce-prod-appserver-role) for clear audit trails.

  2. Permission Boundaries: Apply permission boundaries to roles to prevent privilege escalation even if the role policy is modified.

  3. S3 Bucket Policies: Implement defense-in-depth by adding bucket policies requiring aws:PrincipalArn conditions:

    {
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::123456789012:role/cloudretail-app-s3-role"},
  "Action": ["s3:PutObject", "s3:GetObject"],
  "Resource": "arn:aws:s3:::cloudretail-reviews-prod/*"
}

  4. VPC Endpoints for S3: Add a Gateway VPC Endpoint to avoid data transfer charges ($0.09/GB) for S3 traffic traversing NAT Gateways. This saves approximately $450/month for applications transferring 5TB/month.

  5. CloudWatch Metrics: Monitor AssumeRole API calls and set alarms for unusual patterns (e.g., sudden spike indicating compromised instances).

FinOps Reality Check: While IAM Roles are free, the operational maturity they enable (automated compliance, reduced incident response time) typically reduces security operations costs by 40-60% compared to access key-based architectures.

Related Articles