Learn how to use AWS IAM Roles Anywhere to securely grant temporary access to an Amazon S3 bucket containing sensitive data files for an on-premises application running on virtual machines. Discover the best practices for configuring IAM Identity Center and assuming roles using the AWS CLI.
Table of Contents
Question
A company has an Amazon S3 bucket that contains sensitive data files. The company has an application that runs on virtual machines in an on-premises data center. The company currently uses AWS IAM Identity Center.
The application requires temporary access to files in the S3 bucket. The company wants to grant the application secure access to the files in the S3 bucket.
Which solution will meet these requirements?
A. Create an S3 bucket policy that permits access to the bucket from the public IP address range of the company’s on-premises data center.
B. Use IAM Roles Anywhere to obtain security credentials in IAM Identity Center that grant access to the S3 bucket. Configure the virtual machines to assume the role by using the AWS CLI.
C. Install the AWS CLI on the virtual machine. Configure the AWS CLI with access keys from an IAM user that has access to the bucket.
D. Create an IAM user and policy that grants access to the bucket. Store the access key and secret key for the IAM user in AWS Secrets Manager. Configure the application to retrieve the access key and secret key at startup.
Answer
B. Use IAM Roles Anywhere to obtain security credentials in IAM Identity Center that grant access to the S3 bucket. Configure the virtual machines to assume the role by using the AWS CLI.
Explanation
The correct solution is to use AWS IAM Roles Anywhere to obtain temporary security credentials from IAM Identity Center (formerly known as AWS Single Sign-On) and grant access to the Amazon S3 bucket. Here’s why this is the best approach:
1. IAM Roles Anywhere allows you to use IAM roles with resources outside of AWS, such as on-premises workloads or virtual machines in other clouds. This enables secure access to AWS resources without the need to manage long-term access keys.
2. By obtaining temporary security credentials from IAM Identity Center, the on-premises application can assume the IAM role and gain access to the S3 bucket for a limited time. The temporary credentials automatically expire, reducing the risk of unauthorized access.
3. Configuring the virtual machines to assume the role using the AWS CLI ensures that the application securely retrieves the necessary credentials without storing them locally, minimizing the risk of credential exposure.
The other options have the following drawbacks:
Option A: Creating an S3 bucket policy that permits access from the public IP range of the on-premises data center is not secure, as IP addresses can be spoofed, and it doesn’t provide the necessary granular access control.
Option C: Installing the AWS CLI with access keys from an IAM user grants long-term access and requires managing and rotating the access keys, which is less secure and more cumbersome than using temporary credentials.
Option D: Storing the access key and secret key in AWS Secrets Manager and retrieving them at startup still involves managing long-term credentials and increases the risk of exposure if not implemented securely.
In summary, using IAM Roles Anywhere with IAM Identity Center provides the most secure and manageable solution for granting temporary access to the S3 bucket from the on-premises application.
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.