Question
A company is setting up AWS Identity and Access Management (IAM) on an AWS account.
Which recommendation complies with IAM security best practices?
A. Use the account root user access keys for administrative tasks.
B. Grant broad permissions so that all company employees can access the resources they need.
C. Turn on multi-factor authentication (MFA) for added security during the login process.
D. Avoid rotating credentials to prevent issues in production applications.
Answer
C. Turn on multi-factor authentication (MFA) for added security during the login process.
Explanation
The correct answer is option C: Turn on multi-factor authentication (MFA) for added security during the login process.
Explanation: AWS Identity and Access Management (IAM) is a service that helps you manage access to AWS resources securely. When setting up IAM on an AWS account, it is important to follow security best practices to ensure the protection of your resources and data.
Let’s go through each option and explain why option C is the correct recommendation:
A. Use the account root user access keys for administrative tasks: Using the account root user access keys for administrative tasks is not recommended. The root user has full access to all resources in the AWS account, and using its access keys for day-to-day administrative tasks can pose a security risk. It is best practice to create individual IAM users with appropriate permissions and use those users for administrative tasks instead.
B. Grant broad permissions so that all company employees can access the resources they need: Granting broad permissions to all company employees is not a recommended practice. It is important to adhere to the principle of least privilege, which means granting only the minimum permissions necessary for users to perform their required tasks. Giving broad permissions increases the risk of unauthorized access and potential security breaches.
C. Turn on multi-factor authentication (MFA) for added security during the login process: Enabling multi-factor authentication (MFA) is an essential security measure. MFA adds an extra layer of protection to the login process by requiring users to provide two or more pieces of evidence to verify their identity. This typically involves something the user knows (password) and something the user possesses (such as a mobile device or hardware token). Enabling MFA significantly reduces the risk of unauthorized access, even if a user’s password is compromised.
D. Avoid rotating credentials to prevent issues in production applications: Rotating credentials at regular intervals is considered a best practice for security. Regularly changing passwords and access keys helps mitigate the risk of unauthorized access, especially in the event of a credentials compromise. Avoiding credential rotation can lead to increased vulnerability to attacks and potential issues in production applications.
In conclusion, the recommended action that complies with IAM security best practices is to turn on multi-factor authentication (MFA) for added security during the login process (option C). This strengthens the authentication process and reduces the risk of unauthorized access.
Reference
- Security best practices in IAM – AWS Identity and Access Management (amazon.com)
- Security best practices and use cases in AWS Identity and Access Management – AWS Identity and Access Management (amazon.com)
- AWS Identity and Access Management (IAM) Best Practices – Amazon Web Services
Amazon AWS Certified Cloud Practitioner certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Cloud Practitioner exam and earn Amazon AWS Certified Cloud Practitioner certification.
