You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift.
Consequently, the application needs to access Amazon Redshift tables.
Which of the below methods would be the best, both practically and security-wise, to access the tables? Choose the correct answer from the options below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
For access to any AWS service, the ideal approach for any application is to use Roles.
This is the first preference.
Hence option A and C are wrong.
For more information on IAM policies please refer to the below link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.htmlNext for any web application, you need to use web identity federation.
Hence option D is the right option.
This along with the usage of roles is highly stressed in the AWS documentation.
"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key.
However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads to a device, even in an encrypted store.
Instead, build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation.
The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app".
For more information on web identity federation please refer to the below link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.htmlThe best and most secure method for accessing Amazon Redshift tables from a mobile application would be to use roles that allow a web identity federated user to assume a role that provides temporary credentials with access to the RedShift table. Therefore, the correct answer is D.
Explanation:
Option A suggests creating an IAM user and generating encryption keys for that user to embed in the application. However, embedding encryption keys in the application is not secure, as anyone with access to the application can extract the keys and gain unauthorized access to the data.
Option B suggests using a HSM client certificate in Redshift and authenticating using this certificate. However, this method is not practical for a mobile application since it requires the client to manage and store the certificate securely.
Option C suggests creating a RedShift read-only access policy in IAM and embedding those credentials in the application. However, this method is not secure as it requires embedding credentials in the application.
Option D suggests using roles that allow a web identity federated user to assume a role that provides temporary credentials with access to the RedShift table. This method is both practical and secure since the application can authenticate the user with a provider such as Facebook or Google, and the provider will generate temporary credentials with access to the RedShift table. The application does not need to store any credentials or keys, and the temporary credentials will expire after a predetermined time, thus ensuring security.
In conclusion, the best and most secure method for accessing Amazon Redshift tables from a mobile application is to use roles that allow a web identity federated user to assume a role that provides temporary credentials with access to the RedShift table.