An AWS customer is deploying a web application composed of a front end running on Amazon EC2 and confidential data stored on Amazon S3.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
Option A is CORRECT because the access to the sensitive data on Amazon S3 is only given to the authenticated users.
Option B is incorrect because S3 doesn't integrate directly with CloudHSM.
Also, there is no centralized access management system control.
Option C is incorrect because this is an incorrect workflow of the use of SAML.
It does not mention if the centralized access management system is a SAML complaint.
Option D is incorrect because, with this configuration, the web team would have access to the sensitive data on S3.
For more information on STS, please refer to the URL-
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.htmlThe scenario described in this question involves a web application consisting of a front end on Amazon EC2 and confidential data stored on Amazon S3. The task is to secure the system architecture while allowing only authorized users to access the data stored on Amazon S3.
Answer A suggests configuring the web application to authenticate end-users against the centralized access management system. Trusted users are then given temporary STS tokens that allow them to download approved data directly from Amazon S3. This solution uses the AWS Security Token Service (STS) to grant temporary, limited-privilege credentials to trusted users. This ensures that only authorized users have access to the confidential data on Amazon S3.
Answer B suggests encrypting the data stored on Amazon S3 using a CloudHSM operated by a separate security team. The web application is configured to integrate with the CloudHSM for decrypting approved data access operations for trusted end-users. CloudHSM provides secure and centralized key management for encrypting and decrypting data. In this solution, the security team manages the keys used for encryption and decryption, and the web application team can only access the data with authorized decryption operations.
Answer C suggests configuring the web application to authenticate end-users against the centralized access management system using SAML. End-users authenticate to IAM using their SAML token and can download approved data directly from Amazon S3. This solution uses Security Assertion Markup Language (SAML) to enable users to authenticate with AWS Identity and Access Management (IAM). SAML provides a secure and standardized way of exchanging authentication and authorization data between parties.
Answer D suggests having a separate security team create an IAM Role entitled to access the data on Amazon S3. The web application team provisions their instances with this Role, while their IAM users are denied access to the data on Amazon S3. This solution uses IAM Roles to grant permissions to access the data on Amazon S3. By denying access to the IAM users, this solution ensures that only authorized instances can access the data on Amazon S3.
In summary, all the answers provide solutions for securing the architecture while allowing only authorized users to access the confidential data stored on Amazon S3. The best solution depends on the specific requirements and constraints of the scenario.