MemberJuly 19, 2023 at 5:38 am
A company has different AWS accounts, namely Account A, Account B, and Account C, which are used for their Development, Test, and Production environments respectively. A developer needs access to perform an audit whenever a new version of the application has been deployed to the Test (Account B) and production (Account C) environments.
What is the MOST efficient way to provide the developer access to execute the specified task?
<ul data-question_id=”12792″ data-type=”single”>
- Set up AWS Organizations and attach a Service Control Policy to the developer to access the other accounts.
- Create separate identities and passwords for the developer on both the Test and Production accounts.
- Enable AWS multi-factor authentication (MFA) to the IAM User of the developer.
- Grant the developer cross-account access to the resources of Accounts B and C.
Correct answer is D and i got it incorrect. So, I was reading the explanation and realized it is totally different than the question which is as follows:
Applications that run on an EC2 instance must include AWS credentials in their AWS API requests. You could have your developers store AWS credentials directly within the EC2 instance and allow applications in that instance to use those credentials. But developers would then have to manage the credentials and ensure that they securely pass the credentials to each instance and update each EC2 instance when it’s time to rotate the credentials. That’s a lot of additional work.
Instead, you can and should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use a role, you don’t have to distribute long-term credentials (such as a username and password or access keys) to an EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources. When you launch an EC2 instance, you specify an IAM role to associate with the instance. Applications that run on the instance can then use the role-supplied temporary credentials to sign API requests.
Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, an additional step is needed to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications. This extra step is the creation of an instance profile that is attached to the instance. The instance profile contains the role and can provide the role’s temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application’s API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
Using roles in this way has several benefits. Because role credentials are temporary and rotated automatically, you don’t have to manage credentials, and you don’t have to worry about long-term security risks. In addition, if you use a single role for multiple instances, you can make a change to that one role and the change is propagated automatically to all the instances.
Hence, using an IAM Role to grant the application the necessary permissions to upload data to S3 is the correct answer for this scenario as this provides the safest way to integrate your application hosted in EC2 and S3.
Storing the access keys in the instance and then using the AWS SDK to upload the results to S3 is incorrect because this will expose the AWS access credentials to all users who have access to the EC2 instance. Since this option entails a security risk, this is incorrect as is not the safest method.
Installing the AWS CLI then using it to upload the results to S3 is incorrect. Although this option is valid, this method also presents a security risk just as shown above. By default, an AWS CLI requires you to store the AWS access keys in your instance which will be used in executing the commands. Hence, this option is incorrect.
Using an IAM Inline Policy to grant the application the necessary permissions to upload data to S3 is incorrect because inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that it’s applied to. This option doesn’t provide a secure way of allowing the application that is hosted in EC2 to upload data to an S3 bucket. You should use an IAM Role instead.
AdministratorJuly 20, 2023 at 11:37 pm
Thank you for raising this item.
We’ve taken note of this, and we’ll update the explanation to the correct one.
Let me know if you have further questions.
Carlo @ Tutorials Dojo
Log in to reply.