A company moved some of its secure files to a private Amazon S3 bucket that has no public access. The company wants to develop a serverless application that gives its employees the ability to log in and securely share the files with other users.
Which AWS feature should the company use to share and access the files securely?
To securely share and access files in a private Amazon S3 bucket, the best AWS feature to use is S3 presigned URLs. S3 presigned URLs allow the application to generate a temporary URL that grants time-limited access to specific S3 objects. This method ensures that access is secure and only available for a limited time, without changing the overall permissions of the S3 bucket or the objects. This is suitable for a serverless application where secure, temporary sharing of files is required.
Employees log into the serverless application using an Amazon Cognito User Pool. Once logged in, the application's back-end logic (possibly a Lambda function) generates an S3 pre-signed URL for the requested file. The pre-signed URL is then given to the authenticated user, allowing them secure, time-limited access to that specific S3 object. So, while both Amazon Cognito User Pool and S3 Pre-signed URLs would be used in the solution, S3 Pre-signed URLs (Option B) are the specific feature that allows for the secure, temporary sharing of S3 files. Therefore, Option B would be the best answer to the question of how to "share and access the files securely."
the key words are ability to log in and securely share the files. It is A
I agree 'log in' would go user pool.
But we need to answer a question not task condition
I say 'B' because: The question is "Which AWS feature should the company use to share and access the files securely?" if you look at this part there is no mention about login part. Though there is requirement for the application as a whole, the question targets only about sharing and accessing files securely.
Actual ask is in the final line "Which AWS feature should the company use to share and access the files securely?" -> S3 Pre-signed URL provides the most secure feature.
I agree... B is the only option that is specific to sharing of files. Identity/User pools are for authentication (log in to the S3 bucket).
The answer must be B. So although in the question it says "gives its employees the ability to log in" (which is hinting towards Cognito User Pools) the question is actually asking: "Which AWS feature should the company use to share and access the files securely?" The question is actually about how to share and access the files securely. Hence it must be the S3 pre-signed URL option. To read up more on S3 pre-signed URLs check here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
Actually, the quesion is about "what feature will be used by the new serverless application to share and access the files securely". Ability to log in is about "Amazon Cognito user pool". Imagine "Lambda function" and "API Gateway" are created as a serverless app to provide some API. When you call API endpoint, it will login to "Amazon Cognito user pool" and then share files using SDK. How it will share is the next question. My answer is A
Secure solution for sharing private s3 resource
ChatGPT: B
I will go with B because its purely asking about sharing and no mention about external logins so we should go by default AWS feature which provides this feature, https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
Which AWS feature should the company use to share and access the files securely? So, It's B. S3 Pre-signed URL can used to share S3 object to other people securely.
in order to log in you need to use cognito user pools
This option allows secure, temporary access to specific objects in an S3 bucket. By generating presigned URLs, the serverless application can grant users time-limited access to download or upload files without altering the permissions of the S3 bucket or the objects. This method ensures secure access management and is suitable for sharing private files among authenticated users.
An Amazon Cognito identity pool provides temporary AWS credentials for users who authenticate via Amazon Cognito. This allows your application users (employees, in this case) to securely authenticate and gain access to AWS services like S3 based on their assigned roles and permissions. Through Amazon Cognito, you can manage user identities, control user access to resources, and provide temporary, limited-privilege credentials to access the S3 bucket securely.
I'll go with B. The question is what the company should use to share and access the files securely. We can ignore the task condition
Login of external to AWS users, we can use Cognito. Identity Pool is specifically for DynamoDB and S3. Use an identity pool when you need to: Give your users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table. https://repost.aws/knowledge-center/cognito-user-pools-identity-pools
It's not A, Cognito user pool is not needed, only employees need ability to log in, they can be provided with IAM accounts.
B is the correct answer.