A developer is designing a mobile game application relying on some AWS serverless services.
To access these services, requests must be signed with an AWS access key.
Among recommended approaches, which one is the most appropriate in this sort of scenario?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B.
It is recommended for best results, using Amazon Cognito as your identity broker for almost all web identity federation scenarios.
Incorrect Answers:
Option A is incorrect because it is strongly recommended that you do not embed or distribute long-term AWS credentials with apps that users download to a device, even in an encrypted store.
Using a web identity provider helps you keep your AWS account secure.
Because you don't have to embed and distribute long-term security credentials with your application.
Option C is incorrect because the best approach here is using Amazon Cognito.
If you don't use Amazon Cognito, you must write code that interacts with a web identity provider, such as Facebook, and then calls the AssumeRoleWithWebIdentity API to trade the authentication token you get from those web identity providers for AWS temporary security credentials.
Option D is incorrect because it does not make sense, and it is referring to AWS root accounts.
References:
https://amzn.to/2TAAGDd https://amzn.to/3d0zQr7In a scenario where a mobile game application relies on AWS serverless services, requests must be signed with an AWS access key. To handle this, the developer must choose a recommended approach that provides security while also allowing users to access the services seamlessly.
Let's examine the options provided:
A. Embed or distribute long-term AWS credentials that a user downloads to an encrypted store.
Embedding long-term AWS credentials into a mobile application can pose a significant security risk. If the application is compromised, the credentials can be stolen and used to gain access to AWS resources. Distributing long-term credentials to users to download into an encrypted store also poses a risk as it can be challenging to ensure that the store remains encrypted and secure.
B. Use Amazon Cognito which acts as an identity broker to implement web identity federation.
Amazon Cognito is a managed service that enables developers to add user sign-up, sign-in, and access control to mobile and web applications. It acts as an identity broker that authenticates users through various identity providers, including social media platforms, and provides temporary AWS credentials to access AWS services securely. This approach allows for seamless integration with mobile applications while providing strong security and user management features.
C. Write code that interacts with a web identity provider and trades the authentication token for AWS temporary security credentials.
This approach involves writing custom code to interact with a web identity provider to authenticate users and trade their authentication tokens for temporary AWS security credentials. While it provides a high level of control over the authentication process, it can be challenging to implement correctly and securely.
D. Use federation and AWS IAM to enable single sign-on (SSO) to your AWS root accounts.
This approach involves using a trusted identity provider, such as Active Directory, to enable single sign-on (SSO) to AWS root accounts. While it provides a high level of security and user management features, it can be complicated to implement and can be challenging to integrate with mobile applications.
Based on the above analysis, option B is the most appropriate approach in this scenario. Amazon Cognito provides a straightforward way to authenticate users through various identity providers and issue temporary AWS credentials, allowing secure access to AWS serverless services while providing user management features.