Ensure Secure API Keys for Accessing Data in DynamoDB
Question
Your company has developed a web application and hosted it on an Amazon S3 bucket configured for static content.
The users can log in to this app using their Google/Facebook login accounts.
The application uses the AWS SDK for JavaScript in the browser to access data stored in an Amazon DynamoDB table.
How can you ensure that API keys for access to your data in DynamoDB are secure?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
With web identity federation, you don't need to create custom sign-in code or manage your own user identities.
Instead, users of your app can sign in using a well-known identity provider (IdP) -such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account.
Using an IdP helps you keep your AWS account secure because you don't have to embed and distribute long-term security credentials with your application.
Option A is incorrect since Roles cannot be assigned to S3 buckets.
Options B and D are incorrect since the AWS Access keys should not be used.
For more information on Web Identity Federation, please refer to the below link AWS-
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.htmlThe correct answer is C. Configure a web identity federation role within IAM to enable access to the correct DynamoDB resources and retrieve temporary credentials.
Explanation: When an application running in a browser makes AWS service requests, it requires credentials to access those services. Storing AWS access keys within the application is not a secure practice since these keys can be easily compromised. AWS recommends using temporary security credentials obtained through web identity federation for this use case. Web identity federation enables users to sign in to the application using their existing Google/Facebook login accounts, which the application can use to obtain temporary security credentials. These credentials grant the application access to the AWS services and resources specified in the AWS Identity and Access Management (IAM) policy associated with the role.
The steps to implement this solution are:
Create an IAM role: First, you need to create an IAM role that specifies the permissions that the application requires to access the DynamoDB table. You can use the IAM console or the AWS CLI to create this role.
Configure web identity federation: Next, you need to configure web identity federation for the IAM role. This involves creating an identity provider (in this case, Google/Facebook), an application in the provider's console, and configuring the IAM role to trust the provider and allow access to the necessary resources.
Update the application: Finally, you need to update the application code to obtain temporary security credentials from the web identity federation provider and use these credentials to access the DynamoDB table.
Option A is incorrect because creating an S3 role will not provide the necessary permissions to access the DynamoDB table.
Option B is incorrect because configuring S3 bucket tags with AWS access keys is not a secure way to provide access to AWS services.
Option D is incorrect because storing AWS access keys in global variables within the application is not a secure practice since these keys can be easily compromised.
