Back to AWS Certified Developer - Associate (DVA-C02)

Security

Implement authentication, authorization, encryption, and manage sensitive data in applications (~26% of exam).

5 minutes 5 Questions

Security in AWS is a critical domain for the AWS Certified Developer - Associate certification. It encompasses multiple layers of protection to safeguard applications, data, and infrastructure in the cloud. AWS operates on a Shared Responsibility Model where AWS manages security OF the cloud (phys…

Concepts covered
Assuming IAM rolesCross-account role assumptionAmazon Cognito user poolsAmazon Cognito identity poolsFederated access with identity providersAWS IAM for authenticationBearer token authenticationJSON Web Tokens (JWT)OAuth 2.0 and OpenID ConnectProgrammatic access to AWSAccess keys and secret keysAWS STS (Security Token Service)Authenticated AWS service callsSignature Version 4 signingIAM policies and permissionsIAM policy conditionsResource-based policiesIdentity-based policiesApplication-level authorizationFine-grained access controlCross-service authentication in microservicesService-to-service authenticationEncryption at restEncryption in transitTLS/SSL for data in transitAWS Certificate Manager (ACM)Generating certificates for developmentAWS Private CAClient-side encryptionServer-side encryptionManual key rotationAWS KMS (Key Management Service)KMS customer managed keysKMS AWS managed keysEnvelope encryptionEncrypting and decrypting dataSSH key generation and managementCross-account encryption accessKMS key policiesAutomatic key rotationData classification conceptsPersonally identifiable information (PII)Protected health information (PHI)Encrypting Lambda environment variablesAWS Secrets ManagerAWS Systems Manager Parameter StoreSecureString parametersSecrets rotationData sanitization techniquesApplication-level data maskingInput validation and sanitizationMulti-tenant data isolationRow-level security patterns
Test mode:
Start practice test
DVA-C02 - Security Example Questions

Test your knowledge of Security

Question 1

What happens when a KMS key policy in Account A grants access to the root principal of Account B for cross-account encryption operations?

Correct Answer: It allows Account B administrators to delegate KMS permissions to IAM principals within Account B through IAM policies

When a KMS key policy in Account A grants access to the root principal of Account B, it allows Account B administrators to delegate KMS permissions to IAM principals within Account B through IAM policies. This is the fundamental mechanism for cross-account KMS access.

Here's how it works:
1. The key policy in Account A grants permissions to the root principal (arn:aws:iam::AccountB:root)
2. This does NOT automatically grant any IAM user or role in Account B access to the key
3. Instead, it enables Account B's administrators to use IAM policies to delegate those permissions to specific IAM users or roles within Account B
4. Both the key policy (in Account A) AND an IAM policy (in Account B) must allow the action for the cross-account access to work

The other answers are incorrect:

  • Granting access to the root principal does NOT automatically give all IAM users and roles in Account B access. The root principal grant is just the first step - Account B must still create IAM policies to delegate permissions to specific principals.

  • KMS grants are a separate mechanism and are not required when using the key policy + IAM policy approach. While grants can be used for cross-account access, they are not mandatory when the key policy grants access to the root principal.

  • Granting access to Account B's root principal does NOT transfer ownership or allow Account B to manage key policies or rotation. The key remains owned and controlled by Account A. Account B can only use the key for the specific operations allowed in the key policy.

Question 2

What is the purpose of the Credential Provider Chain in AWS SDKs?

Correct Answer: It defines the order in which the SDK searches for credentials from multiple sources such as environment variables, shared files, and instance metadata

The Credential Provider Chain in AWS SDKs defines the order in which the SDK searches for credentials from multiple sources. This is the correct answer because the credential provider chain is a fundamental mechanism that allows AWS SDKs to automatically discover and use credentials without requiring developers to explicitly specify them in code.

The chain typically searches for credentials in the following order:
1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
2. Shared credentials file (~/.aws/credentials)
3. AWS config file (~/.aws/config)
4. Container credentials (for ECS tasks)
5. Instance profile credentials (for EC2 instances via instance metadata)

This allows for flexibility across different environments - development machines can use credential files, while production EC2 instances can use IAM roles.

The other answers are incorrect:

  • The option about encrypting and decrypting access keys using AES-256 is wrong because the credential provider chain does not perform encryption/decryption of credentials. It simply locates and retrieves credentials from various sources.

  • The option about validating IAM policy permissions before API calls is incorrect because the credential provider chain only handles credential discovery, not authorization checks. Permission validation happens on the AWS service side after credentials are used to sign requests.

  • The option about generating temporary credentials by calling AssumeRole is partially related but incorrect. While the SDK can use assumed role credentials, the credential provider chain itself doesn't automatically call AssumeRole. It's a mechanism for finding existing credentials, not generating new ones through role assumption.

Question 3

What is the purpose of the 'aud' (audience) claim validation when AWS processes tokens from an external OIDC identity provider during federated access?

Correct Answer: To verify the token was issued for the specific client application registered with the identity provider

The 'aud' (audience) claim validation serves to verify that the token was issued for the specific client application registered with the identity provider. This is a critical security measure in OIDC federated authentication.

When you configure an OIDC identity provider in AWS IAM, you specify one or more client IDs (also known as audience values). When a token is presented to AWS for assuming a role, AWS validates that the 'aud' claim in the token matches one of the configured client IDs. This ensures that the token was intentionally issued for your specific application and prevents tokens issued for other applications from being used to access your AWS resources.

The other answers are incorrect for the following reasons:

  • Validating the token for any application within the same AWS organization is incorrect because the 'aud' claim is specifically about the client application registered with the external identity provider, not about AWS organizational boundaries. The audience validation is more restrictive and application-specific.

  • Confirming the user identifier matches the IAM role trust policy principal is incorrect because this describes the 'sub' (subject) claim validation, not the 'aud' claim. The subject claim identifies the user, while the audience claim identifies the intended recipient application.

  • Ensuring token expiration aligns with IAM role session duration is incorrect because this describes token expiration validation related to the 'exp' (expiration) claim, not the 'aud' claim. These are separate validation mechanisms with different purposes.

More Security questions
540 questions (total)
Start 100 question test