A company is building software on AWS that requires access to various AWS services. Which configuration
should be used to ensure mat AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not
compromised?
A.
Enable Multi-Factor Authentication for your AWS root account.
B.
Assign an IAM role to the Amazon EC2 instance.
C.
Store the AWS Access Key ID/Secret Access Key combination in software comments.
D.
Assign an IAM user to the Amazon EC2 Instance.
Explanation:
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
B ?
B
Use roles for applications that run on Amazon EC2 instances
Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions, but that isn’t a user or group. Roles also don’t have their own permanent set of credentials the way IAM users do. In the case of Amazon EC2, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated for you.
Source:http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-roles-with-ec2
B
AWS credentials (i.e., Access Key ID/Secret Access Key combination) -> replace with roles
I have the same idea. A
Troll
Well ..
spam
Networkmanagers can’t pass the exam even after 100 years.
Forget it, the technology will not exist even, either way.
B is correct
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-roles-with-ec2
B is correct. Using API & Secret Keys is a pain and Keys demand periodic rotation for Security Best Practice reasons. AWS introduced IAM Roles for the very same purpose, because IAM Roles allow keyless operations.
I thought B at first but its A.
Lets consider
B.Assign an IAM role to the Amazon EC2 instance.
Note that its Assigning to an existing instance which is not possible
You can’t assign a role to an existing instance; you can only specify a role when you launch a new instance.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
So its A.
@Fawaad Khan,
Question doesn’t say that instances do exist. The solution is still under planning/building.
Even if it did exist:
1) You can now assign roles to existing instances
2) If you couldn’t, making an AMI of the current config and relaunching with the role is just a scheduled change.
Guess its A because he says Access key/secret access key are not compromised….and option B has no need for it meaning we dont use Access Key/Secret Access at all…
even i thought A but its B as AWS credentials (i.e., Access Key ID/Secret Access Key
combination) are not compromised
A is about USer id and password with MFA
B
B
A should be the answer, if the question is changed slightly
Original question
“A company is building software on AWS that requires access to various AWS services. Which configuration
should be used to ensure mat AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not
compromised?”
Changed/updated
“A company is building software on AWS that requires access to various AWS services. Which configuration
should be used to ensure root AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not
compromised?”
B
– Company is building software on AWS – i.e involvement of EC2 which is better off with ‘Roles’
– various services : roles can be used for various services which is much secure
– Enable MFA on your AWS root acccount (keyword here is root account, how about use of aws services without root account – it is not ideal to use root account to integrate with other services.
B is the right answer since question is about software on AWS (EC2).
I believe A is correct answer. Since, it never asks for any EC2 instance yet.The software build can be installed as an app which can be on elastic beanstalk as well. So, ideally we cant say for sure whether it uses EC2 or elastic beanstalk so more accurate answer looks like A only.
I do agree with PM as they didn’t mentioned that EC2 used that AWS services.
b
We should thanks networkmanager. Atleast he is making sure his answers are not correct and that we should not consider 🙂
He could be right on this. This question talks about securing generated credentials. By enabling MFA you are adding an extra security access to your sensitive resources such as Access Key ID / Secret Keys.
I’d choose A.
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users
Don’t use your AWS root account credentials to access AWS, and don’t give your credentials to anyone else –> A is wrong answer
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-roles-with-ec2
B. Assign an IAM role to the Amazon EC2 instance
B
I say B. you should not use the root account for daily operation even the MFA is enabled, so A is not acceptable.
B is correct