A DevOps team implemented a secure method for an EC2 instance to access a private S3 bucket without using long-term access keys. By creating a custom IAM Policy and attaching an IAM Role named `datacenter-role` to the `datacenter-ec2` instance, they established a passwordless connection. This approach eliminates the risk of hardcoded credentials being compromised if the server is breached.

This practice follows the principle of least privilege. The attached policy only grants specific permissions—`PutObject`, `GetObject`, and `ListBucket`—for one designated bucket. AWS automatically handles temporary credentials via its Security Token Service, rotating them every few hours. This automated credential management is a core advantage over static access keys, which require manual rotation and pose a persistent security liability.

The workflow involved setting up SSH access, provisioning the S3 bucket with block public access enabled, and then testing the connection via the AWS CLI. The successful upload and listing of a test file confirmed the role was active. This foundational skill is critical for building secure, automated cloud infrastructure, as it prevents broad permissions and reduces the attack surface for any compromised instance.