-
Explanation Please
updated 5 months ago
2 Members
·
4
Posts
-
“A tech startup company plans to develop a mobile application that sends and fetches data to a DynamoDB table. The app is using the DynamoDB SDK and root account access keys to connect to DynamoDB.
Which of the following is the best option to improve the security of this architecture?”
The explanation for the incorrect answers really doesn’t provide the reasoning why creating a unique user for the process is problematic. I agree with utilizing web identity federation to validate but to be honest, the correct answer seems to contradict AWS’s best practices recommendations regarding root user accounts. They state on their own documentation:
“Instead of accessing the root user, create an administrative user for everyday tasks.”
While the question stem does state the app uses root access keys, why wouldn’t a unique user with the appropriate permissions work for this scenario and therefore keep with AWS’s best practices. Can you please elaborate as to why a unique user should not be created?
-
Hi MeSeeks,
Thanks for your feedback.
…but to be honest, the correct answer seems to contradict AWS’s best practices recommendations regarding root user accounts.
The use of an IAM role with a web identity federation is not contradictory to AWS’s best practices. In fact, it aligns with them. AWS recommends using IAM roles and avoiding the use of the root user for everyday tasks. The root user has full access to all resources in the AWS account and should be used sparingly. IAM roles, on the other hand, provide a secure way to grant permissions to entities that you trust. These entities can be AWS service accounts, applications running on EC2 instances, or even users from a corporate directory. When you use an IAM role with a web identity federation, you are delegating authentication to a well-known third-party identity provider such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider. This means you don’t have to distribute long-term AWS security credentials with your application, and users of your application can sign in using their existing identities from these providers.
While the question stem does state the app uses root access keys, why wouldn’t a unique user with the appropriate permissions work for this scenario and therefore keep with AWS’s best practices. Can you please elaborate as to why a unique user should not be created?
There are additional considerations when building an application that needs to interact with AWS services. The main concern is that embedding access keys (even for an IAM user) within an application is risky. If the application or its code is ever compromised, those keys could be exposed, leading to potential unauthorized access to your AWS resources.
That’s why the recommended approach is to use temporary, limited-privilege credentials. AWS Cognito is a service that provides this functionality. With Cognito, you can establish a unique identity for each user and authenticate them with a public login provider, such as Amazon, Google, or Facebook. Cognito then provides temporary credentials that map to an IAM role with permissions to access the resources required by your mobile app.
So, while creating a unique IAM user would be an improvement over using the root account, it’s still not the best practice. Using temporary credentials from Cognito provides a more secure solution.
I hope this helps. Please don’t hesitate to ask if you have any further questions or concerns.
Regards,
JR @ Tutorials Dojo-
Thank you for the response JR – you are completely right regarding the use of roles. My mind fixated on the “root user” aspect and clouded my judgement to where I only focused on removing the root users access keys from the equation. Overthinking and fixation are problem points for me.
While I do have a topic already up, perhaps you can help explain this question as well?
A photo-sharing company is hosting an application on an EC2 instance that allows users to upload images. The application saves the images on an Amazon S3 bucket in
us-east-2. Recently, users are experiencing load time issues when they upload images into the application. The website is popular in countries away fromus-east-2.Which of the following should the SysOps administrator do to address the issue?
The correct answer states to use S3 Transfer Accelerator rather than Global Accelerator, reasoning that Global Accel is for use with endpoints. But the question states that the load time issues are with uploading the images to the application.
Am I wrong in concluding that the latency could be caused by either users connecting to the application (hosted on EC2s) or with transferring from the instance’s to the S3 bucket?
How are we supposed to pinpoint that transfer to S3 is the problem area and not with connecting to the application instances?
Thank you
-
Hello MeSeeks,
In the given scenario, the issue is with the slow upload of images to an Amazon S3 bucket in us-east-2 from users located far from this region. The application, hosted on an EC2 instance, loads correctly on the user’s end, so the problem isn’t between the client and the application.
The recommended solution is S3 Transfer Acceleration, which speeds up data transfer over long distances between users and an S3 bucket. This service is specifically designed to address issues like this. AWS Global Accelerator, which improves the user’s connection to the application, isn’t needed in this case, as the application itself loads fine. The problem lies in the data transfer to S3 during image upload.
I hope this clears up any confusion. Let me know if you have any further questions or concerns.
Cheers.
-
-
Log in to reply.