You have just developed a new mobile application that handles analytics workloads on large scale datasets stored on Amazon Redshift.
Consequently, the application needs to access Amazon Redshift tables.
Which of the below methods would be the best, both practically and security-wise, to access the tables? Choose the correct answer from the options below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
The AWS Documentation mentions the following.
"When you write such an app, you'll make requests to AWS services that must be signed with an AWS access key.
However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads to a device, even in an encrypted store.
Instead, build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation.
The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app".
Options A, B and C are all automatically incorrect because you need to use IAM Roles for Secure access to services.
For more information on web identity federation, please refer to the below Link:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.htmlThe best way to access the Amazon Redshift tables from a mobile application would be using the D) option: "Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials."
Explanation:
Option A: This method is not recommended as it involves embedding encryption keys in the application. Storing encryption keys in the application is not a secure approach as these keys can be easily extracted from the application code.
Option B: This method involves using an HSM (Hardware Security Module) client certificate to authenticate. HSM is a hardware device that provides a high level of security to protect sensitive data. However, this option requires additional setup and maintenance, which might not be practical.
Option C: This option is also not recommended as it involves embedding IAM user credentials in the application code. Storing IAM user credentials in the application is not secure, as it could lead to credential leakage.
Option D: This option uses AWS Security Token Service (STS) to provide temporary security credentials to users who have been authenticated by an external identity provider. This approach is more secure as it does not involve embedding any credentials in the application code. The web identity provider could be any provider, including Amazon Cognito, Google, Facebook, or other OpenID Connect-compatible providers. The user authenticates using the web identity provider, and the application exchanges the authentication token for temporary AWS credentials through STS. The user is then granted access to the Amazon Redshift table using these temporary credentials.
In conclusion, option D is the best method as it offers a secure and practical way to access Amazon Redshift tables from a mobile application.