AWS Certified SysOps Administrator – Associate (legacy) — Question 341

A user has created a mobile application which makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

Answer options

• A. The user should create a separate IAM user for each mobile application and provide DynamoDB access with it
• B. The user should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2
• C. The application should use an IAM role with web identity federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook
• D. Create an IAM Role with DynamoDB access and attach it with the mobile application

Correct answer: C

Explanation

Embedding long-term credentials like root keys or IAM user access keys in a mobile application is a severe security risk, as they can be extracted by decompiling the app. The best practice is to use web identity federation, which allows mobile users to authenticate through public identity providers and assume temporary, limited-privilege IAM roles to access DynamoDB. Other approaches either introduce unnecessary architectural complexity, like proxying through EC2, or are technically impossible, like directly attaching an IAM role to a client-side mobile device.