A company has copies of customer ID cards in its on-premises system. The company wants the on-premises system to automatically upload the ID card images directly to an Amazon S3 bucket.
What is the MOST secure way to meet this requirement?
A.
Use the AWS SDK to upload the images to the S3 bucket directly from the on-premises system. Create an IAM user. Attach the user to a policy that includes the s3:PutObject permission. Configure the on-premises system to use the generated access key and secrets to authenticate access to AWS.
B.
Use the AWS SDK to upload the images to the S3 bucket directly from the on-premises system. Create an IAM role. Attach the role to a policy that includes the s3:PutObject permission. Configure the on-premises system to use the AssumeRole functionality in the AWS SDK to authenticate access to AWS.
C.
Use S3 presigned URLs to upload the images to the S3 bucket directly from the on-premises system. Generate the presigned URLs by using an AWS Lambda function and a private REST API endpoint. Create an AWS Site-to-Site VPN connection between the on-premises network and the VPC to allow the on-premises system to call the API to receive the presigned URLs.
D.
Use S3 presigned URLs to upload the images to the S3 bucket directly from the on-premises system. Generate the presigned URLs by using an AWS Lambda function and a public REST API endpoint. Secure the API by adding an Amazon Cognito authorizer. Create a user for the on-premises system to use for authentication to call the API to receive the presigned URLs.
IMHO, C looks the most secure. Because of: the pre-signed URL, a secure VPN connection between on-prem and cloud (MUST), no need to store any creds on the on-prem side. The question doesn't contain keywords like "less operational overhead", but "the most secure". It means that we can go with more complex, but secure solution.
Option B - Risk Profile: - Create an IAM role, which provides temporary security credentials without the need for long-term access keys and secrets.
- utilizes IAM roles with temporary credentials and follows the principle of least privilege. Only one permission is required. S3:PutObject
- Roles can be assumed by trusted entities, reducing the risk associated with long-term credentials being compromised.
- The AssumeRole functionality allows the on-premises system to temporarily assume the permissions of the IAM role, enhancing security.
Option C - Risk Profile: - This option involves using presigned URLs, which are temporary URLs generated by AWS that grant limited access to specific S3 operations.
- It requires setting up a private REST API endpoint, which adds complexity to the architecture.
- Creating a Site-to-Site VPN connection between the on-premises network and the VPC adds an additional layer of security for communication, but it also introduces management overhead.
Yes, you can attach a user or a role to an IAM policy in AWS.
Creating roles and attaching policies (console)
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions_create-policies.html
Attach an IAM managed policy to a user
https://docs.aws.amazon.com/cli/latest/userguide/cli-services-iam-policy.html
Why C is the most popular? Why do we need a VPN to VPC if we need access to S3 which is not in VPC? But the C option clearly states "AWS Site-to-Site VPN connection between the on-premises network and the VPC".
Sorry, that's for the REST API endpoint inside the VPC, therefore C is the most secure option. Anyway, I think this solution is too complicated for simple uploading stuff into S3
A uses long term credentials, while B uses short term credentials. Using Signed URL would be even more secure as no credential is needed to be store on-premise. Thus A
Option C provides a secure solution by leveraging S3 presigned URLs and a private REST API endpoint. Here's how it works:
Generate S3 presigned URLs: Use an AWS Lambda function to generate S3 presigned URLs. These URLs will have a limited time validity and will grant temporary access to upload the ID card images to the S3 bucket.
Private REST API endpoint: Create a private REST API endpoint in API Gateway that invokes the Lambda function. This API endpoint should be accessible only from within the AWS infrastructure or through a secure connection.
AWS Site-to-Site VPN connection: Establish an AWS Site-to-Site VPN connection between the on-premises network and the Amazon Virtual Private Cloud (VPC) where the API Gateway and Lambda function reside. This VPN connection ensures secure and encrypted communication between the on-premises system and the private REST API endpoint.
On-premises system integration: Configure the on-premises system to call the private REST API endpoint to receive the generated S3 presigned URLs. This can be done through the VPN connection established in the previous step.
Uploading ID card images: The on-premises system can then use the received presigned URLs to directly upload the ID card images to the S3 bucket. The presigned URLs grant temporary access and permissions for uploading the images without the need for long-term access keys or credentials.
By using S3 presigned URLs with a private REST API endpoint and a VPN connection, the on-premises system securely uploads the ID card images to the S3 bucket without exposing any long-term access keys or credentials. The private REST API endpoint ensures that the API is only accessible from within the AWS infrastructure or through the secure VPN connection, providing an additional layer of security.
Let's take a closer look at why option B is not the most secure solution for the given requirements.
Option B suggests creating an IAM role and attaching it to a policy that includes the s3:PutObject permission. The on-premises system would then use the AssumeRole functionality in the AWS SDK to authenticate access to AWS and directly upload the ID card images to the S3 bucket.
While using an IAM role is a more secure approach than using access keys (as mentioned in option A), it still has some limitations and potential security risks in this scenario:
Network connectivity: Option B assumes that there is a direct network connection between the on-premises system and AWS. This introduces potential security concerns, especially if the connection is not properly secured or if the on-premises system is exposed to the internet.
Access management: Creating and managing IAM roles for each on-premises system can become cumbersome, especially if there are a large number of systems or frequent changes. It may also introduce the risk of misconfiguration or granting excessive permissions if not properly managed.
Long-term credentials: While the AssumeRole functionality allows for temporary access to AWS services, the on-premises system would still need to have long-term credentials (such as access keys) to assume the IAM role. This introduces the risk of these credentials being compromised, potentially leading to unauthorized access to the S3 bucket.
Given these considerations, option C, which leverages S3 presigned URLs with a private REST API endpoint and a VPN connection, provides a more secure approach for uploading ID card images from the on-premises system to the S3 bucket. It avoids the need for long-term credentials and ensures secure communication through a private API endpoint and a VPN connection.
Option B is the most secure because it involves creating an IAM role with the required permissions and configuring the on-premises system to use AssumeRole functionality in the AWS SDK to authenticate access to AWS. This way, the on-premises system does not have access keys or secrets, reducing the risk of compromise. Also, IAM roles have temporary security credentials that automatically rotate, making it harder for attackers to gain persistent access to the S3 bucket.
The most secure way to meet this requirement is option D: Use S3 presigned URLs to upload the images to the S3 bucket directly from the on-premises system. Generate the presigned URLs by using an AWS Lambda function and a public REST API endpoint. Secure the API by adding an Amazon Cognito authorizer. Create a user for the on-premises system to use for authentication to call the API to receive the presigned URLs.
Option D provides a secure solution as it uses S3 presigned URLs, which are time-limited URLs that grant temporary access to upload the ID card images to the S3 bucket. By generating presigned URLs on the server-side with an AWS Lambda function, the on-premises system can securely upload the ID card images directly to the S3 bucket without requiring access keys and secrets.
To further secure the solution, an Amazon Cognito authorizer can be added to the public REST API endpoint to authenticate the on-premises system before allowing access to generate the presigned URLs. This approach ensures that only authenticated and authorized systems can generate the presigned URLs, providing an additional layer of security.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
a15ce96
1 year, 3 months agoperfmon
1 year, 3 months agoperfmon
1 year, 3 months agomonishvster
1 year, 3 months agoa_win
1 year, 5 months agowonder_man
1 year, 8 months agowonder_man
1 year, 8 months agoAswinDe
1 year, 10 months agoninomfr64
1 year, 9 months agorcaliandro
1 year, 11 months agopranay_2406
2 years agopranay_2406
2 years agopranay_2406
2 years agopranay_2406
2 years agoshasankperiwal
2 years agoMrTee
2 years, 1 month agoondrejc
2 years, 2 months agoqsergii
2 years, 2 months agocapesignalfreer
2 years, 2 months agoMMaquis
2 years, 3 months agoMMaquis
2 years, 3 months agom4r0ck
2 years, 3 months agomistral
2 years, 3 months agoezeik
2 years, 3 months ago