A user has created a mobile application which makes calls to DynamoDB to fetch certain data.
The application is using the DynamoDB SDK and root account access/secret access key to
connect to DynamoDB from mobile. Which of the below mentioned statements is true with respect
to the best practice for security in this scenario?
A.
The user should create a separate IAM user for each mobile application and provide
DynamoDB
access with it
B.
The user should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2
and
route all calls from the mobile through EC2
C.
The application should use an IAM role with web identity federation which validates calls to
DynamoDB with identity providers, such as Google, Amazon, and Facebook
D.
Create an IAM Role with DynamoDB access and attach it with the mobile application
Explanation:
With AWS IAM a user is creating an application which runs on an EC2 instance and makes
requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should
not create an IAM user and pass the user’s credentials to the application or embed those
credentials inside the application. If the user is creating an app that runs on a mobile phone and
makes requests to AWS, the user should not create an IAMuser and distribute the user’s access
key with the app. Instead, he should use an identity provider, such as Login with Amazon,
Facebook, or Google to authenticate the users, and then use that identity to get temporary security
credentials.
C
C