What is the MOST secure way to call AWS CLI commands with the developer’s IAM identity?
Specify the developer’s IAM access key ID and secret access key as parameters for each CLI command
Run the aws configure CLI command. Provide the developer’s IAM access key ID and secret access key.
Specify the developer’s IAM profile as a parameter for each CLI command.
Run the get-session-token CLI command with the developer’s IAM user. Use the returned credentials to call the CLI
Explanations:
Providing the IAM access key ID and secret access key as parameters for each CLI command is insecure because it exposes credentials in plain text, which is risky, especially in logs or history files.
Runningaws configureand providing the IAM access key ID and secret access key stores the credentials on disk, which is a security risk if the system is compromised or the credentials are not rotated regularly.
Specifying the IAM profile as a parameter for each CLI command is not ideal, because the credentials tied to that profile could be misused if the system is compromised, and it still involves storing credentials.
Usingget-session-tokento retrieve temporary credentials for the IAM user and calling the CLI with those credentials is the most secure method. Temporary credentials are short-lived and automatically expire, minimizing security risks.
If memory serves me right, the answer is:
Run the get-session-token CLI command with the developer’s IAM user. Use the returned credentials to call the CLI
As I understand it, the answer is:
Run the get-session-token CLI command with the developer’s IAM user. Use the returned credentials to call the CLI