AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company is building a mobile application that allows users to upload photos directly to Amazon S3. The solution must authenticate users with their existing social media accounts, avoid routing the actual photo data through any backend component, and minimize custom code by relying on AWS-managed services. Which approach meets these requirements?
Configure an Amazon S3 bucket policy that allows public write access and require users to include a secret access key with their uploads.
Deploy an AWS Lambda function that receives the photo data from the mobile app, authenticates the user, and then uploads the photo to S3 on the user's behalf.
Use Amazon Cognito to federate social logins and grant each authenticated user temporary AWS credentials so the mobile app can call the S3 PutObject API directly.
Create a dedicated IAM user for every application user and distribute their long-term access keys with the mobile app.
Amazon Cognito can federate logins from social identity providers such as Facebook, Google, and Apple. After successful authentication, an Amazon Cognito identity pool exchanges the provider's token for temporary AWS credentials (via AWS STS). The mobile app can then call the Amazon S3 PutObject API directly with those credentials, so the images are uploaded straight from the device to the protected bucket. This removes the need for the application to host or scale authentication code or to generate presigned URLs for every object, while still enforcing least-privilege access through IAM roles attached to the identity pool.
Incorrect answers:
Allowing public writes and distributing secret keys exposes the bucket to abuse and violates security best practices.
Having a Lambda function receive the file and then upload it routes the photo through backend code, which the scenario explicitly forbids.
Creating individual IAM users with long-term keys is not scalable and increases the risk of credential leakage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Cognito and how does it work?
Open an interactive chat with Bash
What are presigned URLs and why are they important?
Open an interactive chat with Bash
What are some advantages of using temporary credentials over permanent IAM user credentials?