AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company is building a mobile application that allows users to upload photos directly to Amazon S3. The application should authenticate users using their existing social media accounts and securely grant them permissions to upload files to a protected S3 bucket, without routing the uploads through the application backend. Which solution meets these requirements?
Use AWS Cognito service which handles authentication with social identity providers and provides temporary credentials for direct Amazon S3 access.
Configure Amazon S3 bucket policies to allow public write access and require users to include a secret access key with their uploads.
Create IAM user credentials for each application user and provide them with individual access keys for S3 uploads.
Implement an AWS Lambda function to authenticate users via social identity providers and generate presigned URLs for S3 uploads.
AWS Cognito allows developers to easily add user sign-up, sign-in, and access control to web and mobile applications. It supports authentication with social identity providers such as Facebook and Google. Upon successful authentication, Cognito provides users with temporary AWS credentials that allow direct access to AWS resources (e.g. Amazon S3) without going through the application backend. This approach is secure and scalable.
Allowing public write access to the S3 bucket poses significant security risks, and using secret access keys in this way is challenging as how to generate and manage such keys. Using Lambda function to authenticate users and generate presigned URLs is very complex to handle. Creating IAM user credentials for each application user is not scalable and poses security risks in managing IAM credentials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Cognito and how does it work?
Open an interactive chat with Bash
What are presigned URLs and why are they important?
Open an interactive chat with Bash
What are some advantages of using temporary credentials over permanent IAM user credentials?