You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3
bucket.
Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and
download their own pictures directly from Amazon S3.
You want to configure security to handle potentially millions of users in the most secure manner possible.
What should your server-side application do when a new user registers on the photo-sharing mobile
application?
A.
Create a set of long-term credentials using AWS Security Token Service with appropriate permissions Store
these credentials in the mobile app and use them to access Amazon S3.
B.
Record the user’s Information in Amazon RDS and create a role in IAM with appropriate permissions. When
the user uses their mobile app create temporary credentials using the AWS Security Token Service
‘AssumeRole’ function Store these credentials in the mobile app’s memory and use them to access Amazon S3
Generate new credentials the next time the user runs the mobile app.
C.
Record the user’s Information In Amazon DynamoDB. When the user uses their mobile app create
temporary credentials using AWS Security Token Service with appropriate permissions Store these credentials
in the mobile app’s memory and use them to access Amazon S3 Generate new credentials the next time the
user runs the mobile app.
D.
Create IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret key for
the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
E.
Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an
access Key and secret Key for the IAM user, store them In the mobile app and use these credentials to access
Amazon S3.
c
Answer is B.
Although C sounds correct but something is missing – how is the Mobile App able to authenticate against STS?
Answer is B
we can use either RDS or DynamoDB, however in our given answers, IAM role is mentioned only with RDS, so I would go with Answer B. Question was explicitly focused on security, so IAM with RDS is the best choice.
I agree with this answer!
B : RDS with IAM Role “Assume Role ” is the Key
B
A. Incorrect, STS should only provide short-term credentials, not long-term credentials. If you want long-term credentials (which you probably would not for a mobile app scenario such as this!), you’d have to use IAM users.
B. This one could work on paper. There’s just one technicality that would cause me to question whether it would work in practice. The question is asking what procedure you should follow *every time a new user signs up*. Part of the procedure for B is, after you record the new user’s info in the DB, you then create an IAM role for that user. If you are truly following this procedure every time a new user signs up, this may not scale very well, because you are limited to 250 IAM roles per AWS account. While you can request an increase from AWS, the question says there could potentially be “millions of users” involved here. I am seriously doubting AWS would grant an exception for you to create millions of roles, one per mobile user, if their default limit is to cut you off at 250. They’re going to want to steer you toward a more scalable solution.
D and E. These are looking bad for scalability reasons, too. AWS is probably not going to let you create an individual IAM user for each of potentially millions of mobile users signing into your app. The default limit is 5000 IAM users per AWS account. They might grant an exception to raise that a little, but not for millions I am guessing. They’d want you to try a different approach with your app.
So with all other choices ruled out, that leaves C…
C. Manu and Srinivasu pointed out that C doesn’t mention anything about assuming a role, which you’d need to do, and they are both absolutely right. I am guessing that the author of this answer was being intentionally vague, and left out key details so as to disguise the answer so we would not immediately recognize this answer for what it is. If I’m reading it correctly, it’s hinting at a solution using Cognito, which is specifically made to handle authentication at web-scale, with millions of users. You use a web federation / OpenID partner to authenticate the user, and then Cognito presents the unique identifier for that user. You can create an S3 bucket with that unique identifier as a prefix in its name, then store the unique identifier, along with the new user’s submitted information, in DynamoDB. Cognito can call STS for temporary credentials for that user, using AssumeRoleWithWebIdentity, which will assume a pre-staged IAM role. You don’t need a unique IAM role per user (as is indicated in choice B), you can just stage a role in advance with a policy which will use that identity string as a variable granting them access to the S3 bucket containing that identity string in its name. (For more info: http://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html under the “S3 Prefix” section).
So I’m thinking the answer could be C. I’m not happy that I have to assume a lot about what is happening, but which is not stated in that answer. An answer about a procedure should actually describe the steps that are happening in that procedure, especially if there are similar steps in procedures described in other answer choices, but omitted from this one. But all four other answers appear to be incorrect, and C would work, if you make those assumptions about what is not being stated. I am guessing the author intentionally avoided mentioning “Cognito” because then everyone would immediately jump to that answer as a potentially correct answer since this involves a mobile app.
All in all, I’m thinking these answer choices should be rewritten to be more clearly correct or incorrect, without having to make assumptions, especially B and C.
I agree with your assessment. The question specifically states: What should your server-side application do when a new user registers on the photo-sharing mobile
application. You cant create a role every time you get a new user, so B is not correct. Although C seems to omit some details, its the closest to correct
Thanks.
Hi Kirrim,
As per your answer B is wrong. But we don’t need multiple IAM roles. We need to create a single IAM Role. Please refer the below link.
http://jayendrapatil.com/tag/iam-role/
Thank you
C is the right answer. Kirrim did the perfect analysis.
See documentation here:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
The following are the default maximums for IAM entities:
Groups in an AWS account: 100
Users in an AWS account: 5000
If you need to add a large number of users, consider using temporary security credentials. For more information about temporary security credentials, go to Temporary Security Credentials.
Roles in an AWS account: 250
C is the right answer. Kirrim did the perfect analysis.
+1