Deepen your understanding of serverless security by assessing your knowledge of IAM roles, permissions, and least privilege principles. This quiz challenges your grasp on access controls and best practices for minimizing risk in serverless deployments.
Which approach best demonstrates the principle of least privilege for a serverless function that only needs to read data from a database?
Explanation: Granting read-only access to the specific database resource ensures the function has just enough permission to carry out its job, which aligns with the least privilege principle. Assigning full database admin permissions or allowing all actions gives excessive access, increasing risk. Denying all except write would block reading, which the function needs.
What potential security risk arises when a serverless function is assigned an IAM role with permissions that are too broad, such as 'Resource: *' and 'Action: *'?
Explanation: Overly broad permissions can allow an attacker to perform a variety of unauthorized actions if the function is compromised. A too-broad IAM role does not cause the deployment to fail or slow function execution, and permissions do not inherently affect logging. Only the first option addresses the critical risk posed by excessive privileges.
When configuring IAM roles for multiple serverless functions that perform unrelated tasks, what is the recommended best practice?
Explanation: Assigning unique, task-specific roles ensures each function only has the permissions needed for its job, reducing unnecessary risk. Using a global role exposes every function to permissions it does not need. Granting all functions read-only access to all resources still violates least privilege. Allowing anonymous access is never a secure choice.
What is the most secure way to grant a serverless function access to only a subset of items within a database table?
Explanation: Restricting actions to specific database items allows for precise control and limiting unnecessary access, adhering to least privilege. Giving full table access is excessive and less secure. Assigning no permissions will break functionality, while using the function’s name for access does not ensure proper authorization.
Why are temporary credentials considered safer than long-lived credentials for IAM roles assigned to serverless functions?
Explanation: Temporary credentials expire after a short time, limiting the exposure if credentials are leaked or stolen, making them safer. They do not make the function run faster or require less configuration, and they actually reduce—not increase—the duration of access, which is desirable from a security perspective.