Question 1: You are working with an investment bank, which has recently announced to use Hybrid Cloud, public cloud as an AWS and private cloud as in-house datacenter. Company mandated to login AWS console to use multifactor authentication for each account. Now one of the team started using DynamoDB NoSQL solution, from the application which is installed on, on premise Linux instances. During development and testing they have been using secret keys and access keys, which are stored locally on the same Linux host. One of your security team member had raised concern over storing this keys in text file and using this in this way, and he suggested you need to come up with more secure and safe way for interacting between Linux instance and DynamoDB. Which of the following you should consider is the safest way? 

  1. Amazon can store keys more secure way. So you will be creating an encrypted EBS volume and store that text file on that encrypted EBS volume.
  2. You will enable encryption between DynamoDB and application installed on Linux instance, using secure certificates.
  3. You will encrypt that text file and store it in the same instance, and whenever you need to make a connection with the DynamoDB, you have to decrypt that key.
  4. You will be using Amazon provided KMS (Key management service) service
  5. You will be leveraging IAM Role functionality
  1. A, B
  2. B, C
  3. C, D
  4. B, E
  5. A, D  

Correct Answer: 4  

Exp: This question has some latent aspect of security. Question is focusing on access keys and secrete keys. But in the given option, if you have to select more than one answer than you have to check which all options are appropriate for secure data transfer and making connection with the AWS services.

Access Keys: You should always avoid to saves access keys on the same host from which your application runs. It is not at all secure. In the exam they may give you a question with AMI (instead of your datacenter, you launched EC2 instance and deployed your application on it, which will connect with the DynamoDB, with the given use case also you should not store these keys on text file)

Can I store it in S3 Bucket? : What is the point of storing Access keys in S3 bucket? No it is not a secure way.

Why keys at all? : Wherever you see a question regarding credentials and you find in the option that IAM Role is given, then think over it. There is the probability this answer will be correct, as in this question.

KMS: Key management service is for storing SSL certificates and not for access keys and secret keys.

Encryption: Yes, whenever data leaves from one network (from AWS) and reach to another network (host on your data center), you must have encryption enabled so that your data are not corrupted by middleman attack.