DVA-C02 · Question #501
A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to
The correct answer is B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.. This question tests knowledge of Amazon S3 presigned URLs to grant time-limited, authenticated access to private S3 objects without changing bucket permissions.
Question
A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to download specific documents when requested, and only for a duration of 15 minutes. How can the developer meet these requirements?
Options
- ACopy the documents to a separate S3 bucket that has a lifecycle policy for deletion after 15
- BCreate a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
- CUse server-side encryption with AWS KMS managed keys (SSE-KMS) and download the
- DModify the S3 bucket policy to only allow specific users to download the documents. Revert the
How the community answered
(63 responses)- A5% (3)
- B81% (51)
- C11% (7)
- D3% (2)
Why each option
This question tests knowledge of Amazon S3 presigned URLs to grant time-limited, authenticated access to private S3 objects without changing bucket permissions.
Copying documents to a separate bucket with a lifecycle deletion policy does not restrict access to authenticated users and introduces unnecessary data duplication and operational overhead.
S3 presigned URLs allow the application to generate a temporary, signed URL for a specific object using AWS SDK credentials. The URL embeds the caller's identity and a configurable expiration time of 15 minutes, so only the user who receives the URL can access the document during that window, after which the URL becomes invalid.
SSE-KMS encrypts data at rest but does not provide a mechanism to control access duration or generate time-limited download links for specific users.
Modifying and manually reverting bucket policies is not scalable, cannot enforce per-user or per-request time limits, and introduces significant operational risk.
Concept tested: S3 presigned URLs for time-limited authenticated access
Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
Community Discussion
No community discussion yet for this question.