The correct approach is to create an IAM role with permissions to read the secure parameter from Parameter Store and allow decryption using the associated AWS KMS key, then assign this role to the EC2 instance. This enables the EC2 instance to retrieve the parameter securely and decrypt it at runtime, ensuring secure and automated access without hardcoding secrets.

Now, here is why the other options are incorrect:

Creating an IAM policy and attaching it directly to the EC2 instance is not valid, because EC2 instances cannot directly assume IAM policies. IAM roles, not policies, are used to assign permissions to instances.

Establishing a trust relationship between the Parameter Store and the EC2 instance is incorrect. IAM trust policies define which entities can assume a role, not how services like Parameter Store grant access. Furthermore, Parameter Store is a service, not a principal entity you can assign a trust relationship to.

Creating a trust relationship between the RDS instance and the EC2 instance while specifying Systems Manager as a principal is invalid. RDS does not assume roles in this context, and Systems Manager does not need to be the trusted principal. This setup confuses trust relationships with permission assignments.

Why this question is important: This question tests your understanding of how to manage secrets securely in AWS using IAM, KMS, and Systems Manager Parameter Store. The key to answering correctly is knowing the difference between IAM roles and policies and how KMS encryption integrates with services like Parameter Store.

Exam tip: If the question involves secure access to AWS-managed secrets or credentials, always look for a solution that avoids hardcoding secrets and uses IAM roles with least privilege access, combined with encryption mechanisms like KMS.

Full AWS Practitioner Certification Question