Securing SDK Interactions with AWS Services | Exam DVA-C01 Preparation

Best Practices for Securely Interacting with AWS Services using SDKs

Prev Question Next Question

Question

You've just started developing an application on your On-premise network.

This application will interact with the Simple Storage Service and some DynamoDB tables.

As the developer, how would you ensure that your SDK can interact with the AWS services on the cloud in the most secure manner?

Answers

A. Create an IAM Role with the required permissions and add it to your workstation.

B. Create an IAM Role with the required permissions and make a call to the STS service.

C. Create an IAM User, generate access keys, then use them from within your program.

D. Create an IAM User, generate a security token, and use the Security Token from within your program.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

An IAM role can be created to ensure the SDK can interact with AWS services on the cloud.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

Option A is incorrect because an on-premise workstation should not use IAM Roles.

Option C is incorrect because IAM User should not be used in this scenario because the question is asking for the most secure option here.

Option D is incorrect since we should not generate a security token to interact with the various AWS services during the development phase.

For more information on the usage of credentials in AWS, please refer to the below link-

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Using temporary security credentials with the AWS SDKs

To use temporary security credentials in code, you programmatically call an AWS STS API like AssumeRole and extract the resulting credentials and
session token. You then use those values as credentials for subsequent calls to AWS. The following example shows pseudocode for how to use
temporary security credentials if you're using an AWS SDK:

assumeRoleResult = AssumeRole(roLe-arn);

tempCredentials = new Sessionawscredentials(
assumeRoleResult .AccessKeyld,
assumeRoleResult .SecretAccessKey,
assumeRoleResult. SessionToken) ;

s3Request = CreateAmazonS3Client (tempCredentials) ;

For an example written in Python (using the AWS SDK for Python (Boto) &), see Switching to an IAM role (AWS API). This example shows how to call
AssumeRole to get temporary security credentials and then use those credentials to make a call to Amazon S3.

For details about how to call AssumeRole, GetFederationToken, and other API operations, see the AWS Security Token Service API Reference. For
information on getting the temporary security credentials and session token from the result, see the documentation for the SDK that you're working
with. You can find the documentation for all the AWS SDKs on the main AWS documentation page &, in the SDKs and Toolkits section.

You must make sure that you get a new set of credentials before the old ones expire. In some SDKs, you can use a provider that manages the
process of refreshing credentials for you; check the documentation for the SDK you're using.

As a developer, you can ensure that your SDK interacts with AWS services in a secure manner by using the AWS Identity and Access Management (IAM) service. IAM enables you to create and manage AWS users, groups, and roles and define their permissions to access AWS resources.

Option A: Creating an IAM Role with the required permissions and adding it to your workstation is not recommended as it could compromise the security of your AWS account.

Option B: Creating an IAM Role with the required permissions and making a call to the Security Token Service (STS) is a better approach. STS provides temporary security credentials that you can use to access AWS resources. You can assume an IAM Role and obtain temporary security credentials to interact with AWS services. By using STS, you can reduce the risk of exposing long-term access keys, which can be easily compromised.

Option C: Creating an IAM User and generating access keys, then using them from within your program is also not recommended as the access keys can be easily compromised. It is recommended to use IAM Roles and temporary security credentials to access AWS resources instead of IAM Users and long-term access keys.

Option D: Creating an IAM User, generating a security token, and using the Security Token from within your program is not a recommended approach as it requires you to manage the security token, which can be a cumbersome process. It is recommended to use STS to obtain temporary security credentials instead.

Therefore, the correct answer is B. Create an IAM Role with the required permissions and make a call to the STS service.

Prev Question Next Question