DCA Question #10: Real Exam Question with Answer & Explanation

Question

Following the principle of least privilege, which of the following methods can be used to securely grnt access to the specific user to communicate to a Docker engine? (Choose two.)

Options

• AUtilize the '--host 0.0.0.0:2375' option to the Docker daemon to listen on port 2375 over TCP on all
• BUtilize openssl to create TLS client and server certificates, configuring the Docker engine to use
• CUtilize the '--host 127.0.0.1:2375' option to the Docker daemon to listen on port 2375 over TCP on
• DGive the user root access to the server to allow them to run Docker commands as root.
• EAdd the user to the 'docker' group on the server or specify the grouè with the '--group' Docker

Explanation

Adhering to the principle of least privilege, secure access to the Docker engine can be granted to specific users either by employing TLS certificates for remote connections or by adding the user to the docker group for local access.

Common mistakes.

• A. Listening on 0.0.0.0:2375 without TLS exposes the Docker daemon on all network interfaces without authentication, creating a severe security risk that violates the principle of least privilege.
• C. While listening on 127.0.0.1:2375 restricts access to the local host, it doesn't provide specific user authentication or encryption, failing to securely grant access to a specific user without additional security layers.
• D. Giving a user full root access to the server directly contradicts the principle of least privilege, as it grants unrestricted control over the entire system, far beyond what is needed for Docker operations.

Concept tested. Docker daemon access control and security best practices

Reference. https://docs.docker.com/engine/security/https/

No community discussion yet for this question.