Access Permissions for Linux User in AWS Deployment

Granting Least Privilege to Linux User

Prev Question Next Question

Question

A third-party software firm is performing deployment for a new application for your firm.

A Linux user from this vendor firm needs access permission to execute dependencies before the build phase.

Which of the following can be specified to grant the least privilege to the user?

Answers

A. Specify run-as for each command in the env block.

B. Specify run-as at the top of build command of phases block.

C. Specify run-as at the top of the buildspec file.

D. Specify run-as at the top of pre_build command of phases block.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

To check dependencies for the build phase, users will need access permission for the pre-build command.

For this Linux user can be given access permission only for the pre-build phase using run-as at the top of the pre-build phase.

Option A is incorrect as specifying the run-as command in env block will not grant user access to execute dependencies.

Option B is incorrect as a run-as should be specified in the pre-build command to check dependencies before the build command & not in the build command.

Option C is incorrect as using run-as at top of buildspec file will grant user permission globally to all commands.

For more information on BuildSpec Parameters, refer to the following URL-

https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html

In this scenario, a Linux user from a third-party vendor firm needs permission to execute dependencies before the build phase. The question is asking which option will grant the least privilege to the user.

A. Specify run-as for each command in the env block. This option specifies the user or group ID that the container runs as. The env block is used to set environment variables for the build. Specifying run-as for each command in the env block may work but would require multiple entries for each command, making it cumbersome and potentially error-prone.

B. Specify run-as at the top of the build command of phases block. The phases block is used to define the various phases of the build. The build command is one of the phases. Specifying run-as at the top of the build command would set the user or group ID for the entire build phase. However, this would also give the user permission to run any other commands within the build phase, potentially giving the user more privileges than necessary.

C. Specify run-as at the top of the buildspec file. The buildspec file is used to define the build process for AWS CodeBuild. Specifying run-as at the top of the buildspec file would set the user or group ID for the entire build process. However, this would also give the user permission to run any other commands within the build process, potentially giving the user more privileges than necessary.

D. Specify run-as at the top of the pre_build command of phases block. The pre_build command is one of the phases in the phases block. This command is run before the build command and can be used to perform tasks such as installing dependencies. Specifying run-as at the top of the pre_build command would set the user or group ID for only the pre_build phase, which is the phase where the user needs access to execute dependencies. This option would grant the least privilege to the user, giving them access only to the necessary phase and no additional privileges.

Therefore, the correct answer is D. Specify run-as at the top of the pre_build command of phases block.

Prev Question Next Question