0 votes
in AWS by

our application must write to an SQS queue. Your corporate security policies require that AWS credentials are always encrypted and are rotated at least once a week.

How can you securely provide credentials that allow your application to write to the queue?

1 Answer

0 votes
by

Answer - B.

This is clearly mentioned in the AWS Documentation.

IAM Roles for Amazon EC2

Applications must sign their API requests with AWS credentials.

Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances.

For example, you can securely distribute your AWS credentials to the instances.

You enable the applications on those instances to use your credentials to sign requests while protecting your credentials from other users.

However, it's challenging to securely distribute credentials to each instance, especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups.

You must also be able to update the credentials on each instance when you rotate your AWS credentials.

We designed IAM roles so that your applications can securely make API requests from your instances without requiring you to manage the security credentials that the applications use.

Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles as follows:

Create an IAM role.

Define which accounts or AWS services can assume the role.

Define which API actions and resources the application can use after assuming the role.

Specify the role when you launch your instance, or attach the role to a running or stopped instance.

Have the application retrieve a set of temporary credentials and use them.

Option A is incorrect because storing the keys in the S3 bucket is not a good practice, and it may cause security issues.

Option C is incorrect because storing the keys in the application could violate the security.

If the source code for the application is hosted on GitHub, everyone can access the keys.

Option D is incorrect because it is unsuitable for storing keys as environment variables.

It may cause security issues.

For more information on IAM Roles, please refer to the below URL-

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Option A, having the application fetch an access key from an Amazon S3 bucket at run time, is not recommended as it requires the application to have access to the AWS credentials, which goes against the corporate security policy of encrypting and rotating credentials.

Option C, embedding the access keys in the application, is also not recommended as this would mean the credentials are visible to anyone who has access to the application code or binary. This would violate the corporate security policy of keeping credentials encrypted.

Option D, creating environment variables in the EC2 instance with the access keys, is not secure as it would allow anyone with access to the EC2 instance to view the credentials. This would violate the corporate security policy of keeping credentials encrypted.

Option B, launching the application's Amazon EC2 instance with an IAM role, is the recommended way to securely provide credentials that allow the application to write to the SQS queue. IAM roles are a secure way to grant permissions to EC2 instances without the need for storing or sharing AWS credentials. IAM roles can be configured to have permissions to write to the SQS queue, and the EC2 instance can automatically obtain temporary credentials from the IAM role at runtime. The credentials obtained by the EC2 instance are rotated regularly, in accordance with the corporate security policy, and are encrypted by default.

Therefore, the correct answer is B, launching the application's Amazon EC2 instance with an IAM role.

...