Microservices Microservice Security Patterns Questions and Answers

Question 1

A microservices-based application needs to authenticate users and then allow them to access various services without each service needing to re-authenticate the user against a central database. The identity information and permissions must be self-contained and cryptographically verifiable by any service. Which security pattern is most suitable for this scenario?

Accepted Answer

C) Access Token Pattern (using JWT)

Answer

The Access Token Pattern using JSON Web Tokens (JWT) is ideal for this use case. JWTs are self-contained, digitally signed tokens that encode user identity and permissions (claims). Any microservice can verify the token's signature to trust its contents without needing a network call to a central authentication server, enabling stateless and scalable authentication.

Question 2

In a zero-trust network environment for microservices, where no service implicitly trusts another, what is the primary purpose of implementing Mutual TLS (mTLS)?

Accepted Answer

A) To ensure that both the client service and the server service cryptographically verify each other's identity before establishing a secure communication channel.

Answer

Mutual TLS (mTLS) extends standard TLS by requiring both the client and the server to present and validate X.509 certificates. This provides strong, mutual authentication, ensuring each service can verify the identity of the other before any data is exchanged. This is a foundational practice for zero-trust security, as it enforces identity verification for all service-to-service communication.

Question 3

A user makes a request to an 'Order' service, which then needs to call a 'Payment' service on behalf of that same user. The 'Payment' service must be able to independently verify the original user's identity and permissions. Which security pattern addresses this requirement?

Accepted Answer

D) Security Context Propagation

Answer

Security Context Propagation is the pattern of passing the original user's identity and security claims (often within an access token like a JWT) from one service to the next in a call chain. This allows downstream services, like the 'Payment' service, to make authorization decisions based on the original caller's context, rather than blindly trusting the upstream service.

Question 4

A microservices application has numerous services that require database passwords, third-party API keys, and other sensitive credentials. To enhance security and simplify management, the team wants to avoid hardcoding these secrets in configuration files or environment variables. Which pattern provides a centralized and secure solution?

Accepted Answer

B) Vault / Secure Credential Storage

Answer

The Vault or Secure Credential Storage pattern involves using a dedicated, centralized service (like HashiCorp Vault or AWS Secrets Manager) to manage secrets. Microservices can then securely authenticate with the vault at runtime to retrieve the credentials they need. This approach improves security by centralizing access control, enabling auditing, and simplifying secret rotation.

Question 5

Which of the following security responsibilities is MOST effectively centralized at the API Gateway layer rather than being implemented within each individual microservice?

Accepted Answer

A) Terminating TLS and authenticating the initial end-user request.

Answer

The API Gateway serves as the single entry point for external clients. It is the ideal place to centralize cross-cutting concerns like terminating TLS, enforcing rate limits, and performing initial authentication and authorization of end-user requests (e.g., validating a JWT). This simplifies the individual services, which no longer need to implement this common edge security logic.

Microservices Practice Test

Microservices Practice Test

Microservices Microservice Security Patterns Questions and Answers