Ends in

$2 OFF ALL AWS, Azure, Google Cloud & Kubernetes Practice Exams!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified SysOps Administrator Associate Explanation Please Reply To: Explanation Please

  • JR-TutorialsDojo

    November 28, 2023 at 9:35 am

    Hi MeSeeks,

    Thanks for your feedback.

    …but to be honest, the correct answer seems to contradict AWS’s best practices recommendations regarding root user accounts.

    The use of an IAM role with a web identity federation is not contradictory to AWS’s best practices. In fact, it aligns with them. AWS recommends using IAM roles and avoiding the use of the root user for everyday tasks. The root user has full access to all resources in the AWS account and should be used sparingly. IAM roles, on the other hand, provide a secure way to grant permissions to entities that you trust. These entities can be AWS service accounts, applications running on EC2 instances, or even users from a corporate directory. When you use an IAM role with a web identity federation, you are delegating authentication to a well-known third-party identity provider such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider. This means you don’t have to distribute long-term AWS security credentials with your application, and users of your application can sign in using their existing identities from these providers.

    While the question stem does state the app uses root access keys, why wouldn’t a unique user with the appropriate permissions work for this scenario and therefore keep with AWS’s best practices. Can you please elaborate as to why a unique user should not be created?

    There are additional considerations when building an application that needs to interact with AWS services. The main concern is that embedding access keys (even for an IAM user) within an application is risky. If the application or its code is ever compromised, those keys could be exposed, leading to potential unauthorized access to your AWS resources.

    That’s why the recommended approach is to use temporary, limited-privilege credentials. AWS Cognito is a service that provides this functionality. With Cognito, you can establish a unique identity for each user and authenticate them with a public login provider, such as Amazon, Google, or Facebook. Cognito then provides temporary credentials that map to an IAM role with permissions to access the resources required by your mobile app.

    So, while creating a unique IAM user would be an improvement over using the root account, it’s still not the best practice. Using temporary credentials from Cognito provides a more secure solution.

    I hope this helps. Please don’t hesitate to ask if you have any further questions or concerns.

    JR @ Tutorials Dojo