A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain
data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned
statements is true with respect to the best practice for security in this scenario?
A.
The user should attach an IAM role with DynamoDB access to the EC2 instance.
B.
The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB.
C.
The user should create an IAM role, which has EC2 access so that it will allow deploying the application.
D.
The user should create an IAM user with DynamoDB and EC2 access.
Attach the user with the application so that it does not use the root account credentials.
Explanation:
With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to AWS, such as
DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user’s
credentials to the application or embed those credentials inside the application. Instead, the user should use roles for
EC2 and give that role access to DynamoDB/S3. When the roles are attached to EC2, it will give temporary security
credentials to the application hosted on that EC2, to connect with DynamoDB/S3.
A
0
0
A
0
0
Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
Applications that run on an EC2 instance must include AWS credentials in their AWS API requests. You could have your developers store AWS credentials directly within the EC2 instance and allow applications in that instance to use those credentials. But developers would then have to manage the credentials and ensure that they securely pass the credentials to each instance and update each EC2 instance when it’s time to rotate the credentials. That’s a lot of additional work.
Instead, you can and should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use a role, you don’t have to distribute long-term credentials to an EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources. When you launch an EC2 instance, you specify an IAM role to associate with the instance. Applications that run on the instance can then use the role-supplied temporary credentials to sign API requests.
Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, an additional step is needed to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications. This extra step is the creation of an instance profile that is attached to the instance. The instance profile contains the role and can provide the role’s credentials to an application that runs on the instance. Those credentials can then be used in the application’s API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
Using roles in this way has several benefits. Because role credentials are temporary and rotated automatically, you don’t have to manage credentials, and you don’t have to worry about long-term security risks. In addition, if you use a single role for multiple instances, you can make a change to that one role and the change is propagated automatically to all the instances.
0
0
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
0
0
A
0
0