Security

1. A developer is building a Python application that runs on a local workstation and needs to read objects from an Amazon S3 bucket. What is the most secure way to authenticate the application with AWS services?

• A.Embed long-term IAM user access keys directly within the application's source code before deploying it.
• B.Create an IAM user, generate access keys, and store them securely in the local ~/.aws/credentials file.✓ Correct
• C.Assign an IAM role directly to the local workstation using the AWS Management Console to grant permissions.
• D.Create a resource-based policy on the S3 bucket that allows anonymous access from the developer's IP address.

2. An organization wants to grant a new team of developers permissions to manage AWS DynamoDB tables. What is the AWS-recommended approach for assigning these permissions?

• A.Attach an inline policy granting DynamoDB access directly to each individual developer's IAM user account.
• B.Create a single IAM user with DynamoDB permissions and share the credentials among all developers on the team.
• C.Create an IAM group, attach a managed policy for DynamoDB access to the group, and add the developers' IAM users to this group.✓ Correct
• D.Store AWS root user credentials in a secure vault and require developers to use them for DynamoDB management tasks.

3. A user in AWS Account A needs to temporarily access resources located in AWS Account B. Which AWS Security Token Service (STS) API operation should the user call to obtain the necessary credentials?

• A.Call the GetSessionToken API to retrieve temporary credentials that belong to the user's current IAM identity.
• B.Call the GetFederationToken API to request temporary credentials for a federated user from an external identity provider.
• C.Call the AssumeRole API to obtain temporary security credentials that grant permissions associated with a role in Account B.✓ Correct
• D.Call the GetAccessKeyInfo API to retrieve the long-term access key ID and secret access key for an IAM user in Account B.

4. An administrator enforces multi-factor authentication (MFA) for all API calls. A developer needs to run a CLI script that requires MFA authentication. How can the developer obtain the necessary credentials to run the script?

• A.Execute the script using the standard long-term IAM access keys, as the CLI automatically prompts for an MFA code during execution.
• B.Use the STS GetSessionToken API operation, passing the MFA device serial number and a time-based one-time password (TOTP).✓ Correct
• C.Use the STS AssumeRole API operation and provide the MFA device serial number to bypass the long-term credential requirement.
• D.Disable the MFA requirement temporarily in the IAM console, run the script, and then re-enable the MFA requirement afterward.

5. An application running on an Amazon EC2 instance needs to upload log files to an Amazon S3 bucket. What is the most secure method for providing the application with the required AWS credentials?

• A.Hardcode the IAM user's secret access key and access key ID within the application configuration files.
• B.Store the IAM user's credentials in an encrypted text file on the EC2 instance's root Amazon EBS volume.
• C.Attach an IAM role to the EC2 instance using an instance profile, allowing the application to retrieve temporary credentials.✓ Correct
• D.Pass the long-term IAM credentials to the application at startup via EC2 user data to ensure they are available.