What is the MOST secure way to call AWS CLI commands with the developer's IAM identity?

A developer needs to use the AWS CLI on an on-premises development server temporarily to access AWS services while performing maintenance.The developer needs to authenticate to AWS with their identity for several hours.

What is the MOST secure way to call AWS CLI commands with the developer’s IAM identity?

Specify the developer’s IAM access key ID and secret access key as parameters for each CLI command

Run the aws configure CLI command. Provide the developer’s IAM access key ID and secret access key.

Specify the developer’s IAM profile as a parameter for each CLI command.

Run the get-session-token CLI command with the developer’s IAM user. Use the returned credentials to call the CLI

Explanations:

Providing the IAM access key ID and secret access key as parameters for each CLI command is insecure because it exposes credentials in plain text, which is risky, especially in logs or history files.

Runningaws configureand providing the IAM access key ID and secret access key stores the credentials on disk, which is a security risk if the system is compromised or the credentials are not rotated regularly.

Specifying the IAM profile as a parameter for each CLI command is not ideal, because the credentials tied to that profile could be misused if the system is compromised, and it still involves storing credentials.

Usingget-session-tokento retrieve temporary credentials for the IAM user and calling the CLI with those credentials is the most secure method. Temporary credentials are short-lived and automatically expire, minimizing security risks.

Free study guides, practices test, sample questions

What is the MOST secure way to call AWS CLI commands with the developer’s IAM identity?

Explanations:

1 Comment

Leave a Reply to Ethan Cancel reply