Question

Applications are installed on Amazon EC2 instances in which an IAM role is configured. Which of the following services provides temporary security credentials for the applications to access to other AWS resources?

A. AWS IAM user

B. Amazon Cognito

C. AWS IAM groups

D. AWS STS.

Answer 1

Correct Answer : D.

Applications deployed on Amazon EC2 instance can be provided security credentials using AWS STS, allowing short-term limited period credentials.

With this, there is no need to save credentials in the Amazon EC2 instance.

Options A & C are incorrect as the IAM users & IAM group can create authentication & manage access for users accessing AWS services.

Saving these credentials on EC2 for applications while accessing other AWS resources is against security guidelines.

Option B is incorrect as Amazon Cognito helps to provide user access control for mobile & web apps.

For more information on use cases for AWS STS, refer to the following URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

The correct answer is D. AWS STS.

AWS STS (Security Token Service) is a web service that enables you to request temporary, limited-privilege credentials for AWS services. These temporary credentials can be used to access AWS resources from applications running on Amazon EC2 instances with an IAM role configured.

When a request for temporary credentials is made, STS verifies the identity of the requestor and returns a set of temporary security credentials, including an access key ID, a secret access key, and a security token. The temporary security credentials have limited permissions and a short lifespan, typically one hour, after which they expire and can no longer be used.

The other options are not correct because:

A. AWS IAM user: An IAM user is a permanent identity that you create in AWS to represent a person or application that interacts with AWS services. IAM users have long-term credentials that consist of an access key ID and a secret access key, which do not provide temporary access.

B. Amazon Cognito: Amazon Cognito is a user authentication and authorization service. It does not provide temporary credentials for accessing other AWS resources.

C. AWS IAM groups: An IAM group is a collection of IAM users. Like IAM users, IAM groups have long-term credentials that do not provide temporary access.