Granting DynamoDB Table Access to Mobile Devices for Storage | DOP-C01 Exam
Question
You're building a mobile application game.
The application needs permissions for each user to communicate and store data in DynamoDB tables.
What is the best method for granting each mobile device that installs your application to access DynamoDB tables for storage when required? Choose the correct answer from the options below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
For access to any AWS service, the ideal approach for any application is to use Roles.
This is the first preference.
For more information on IAM policies, please refer to the below link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.htmlNext, for any web application, you need to use a web identity federation.
Hence option C is the right option.
This, along with the usage of roles, is highly stressed in the AWS documentation.
The AWS documentation mentions the following.
When developing a web application, it is recommended not to embed or distribute long-term AWS credentials with apps that a user downloads to a device, even in an encrypted store.
Instead, build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation.
The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app.
For more information on web identity federation, please refer to the below link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.htmlThe best method for granting each mobile device that installs your application to access DynamoDB tables for storage when required is option C: Create an IAM role with the proper permission policy to communicate with the DynamoDB table. Use web identity federation, which assumes the IAM role using AssumeRoleWithWebIdentity, when the user signs in, granting temporary security credentials using STS.
Option A is not recommended because creating IAM credentials for each user during the install and game configuration process is not scalable and difficult to manage.
Option B is not a secure solution because including the unique device ID as part of the authorization is not a good security practice. This is because it is easy to modify the device ID on the client-side, potentially allowing unauthorized access to the DynamoDB tables.
Option D is not recommended because creating an Active Directory server and an AD user for each mobile application user is an overcomplicated solution and also requires additional maintenance.
Using web identity federation is the recommended method for granting each mobile device that installs your application to access DynamoDB tables for storage when required. With web identity federation, users can sign in to your mobile application using a web identity provider, such as Amazon, Facebook, or Google, which generates an access token. The application can then exchange this access token for temporary security credentials using AWS Security Token Service (STS) and the AssumeRoleWithWebIdentity API.
The temporary security credentials allow users to access the necessary DynamoDB tables with the appropriate permissions defined by the IAM role. Temporary security credentials are time-limited and help to limit the scope of the user's access. Additionally, this method can be easily managed and scaled to accommodate a large number of users.
