QUESTION 4

Your company has developed a web application and is hosting it in an Amazon S3

bucket configured for static website hosting. The application is using the AWS SDK

for JavaScript in the browser to access data stored in an Amazon DynamoDB table.

How can you ensure that API keys for access to your data in DynamoDB are kept

secure?

A. Create an Amazon S3 role in IAM with access to the specific DynamoDB tables, and assign it to the bucket hosting your website.

分析：直接将role assign给AWS S3 bucket，并不能实现。

结论：PASS

B. Configure S3 bucket tags with your AWS access keys for your bucket hosing your website so that the application can query them for access.

分析：将access keys以tags的形式配置，是一种不安全的方式，任何对此bucket有可读权限的用户都能拿到访问dynamodb的access key.

结论：PASS

C. Configure a web identity federation role within IAM to enable access to the correct DynamoDB resources and retrieve temporary credentials.

分析：Web Identity Federation role可以让授予联邦访问AWS资源用户可以assume role来代替创建IAM user (access key),也就是说可以让用户通过assume role的方式获取访问dynamodb的权限，并且这个访问所使用的credential都是临时的，具有时效性的，所以，是一个比较安全的方式。

结论：Correct

D. Store AWS keys in global variables within your application and configure the application to use these credentials when making requests.

分析：在AWS的生态圈中，访问AWS资源尽量使用role的方式更安全，accesskey的方式并不是一种比较安全的方式，即使要是使用也是要有定期轮换策略。

结论：PASS