nerdexam
Amazon

DVA-C02 · Question #501

A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to

The correct answer is B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.. This question tests knowledge of Amazon S3 presigned URLs to grant time-limited, authenticated access to private S3 objects without changing bucket permissions.

Submitted by salim_om· Mar 5, 2026Security

Question

A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to download specific documents when requested, and only for a duration of 15 minutes. How can the developer meet these requirements?

Options

  • ACopy the documents to a separate S3 bucket that has a lifecycle policy for deletion after 15
  • BCreate a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
  • CUse server-side encryption with AWS KMS managed keys (SSE-KMS) and download the
  • DModify the S3 bucket policy to only allow specific users to download the documents. Revert the

How the community answered

(63 responses)
  • A
    5% (3)
  • B
    81% (51)
  • C
    11% (7)
  • D
    3% (2)

Why each option

This question tests knowledge of Amazon S3 presigned URLs to grant time-limited, authenticated access to private S3 objects without changing bucket permissions.

ACopy the documents to a separate S3 bucket that has a lifecycle policy for deletion after 15

Copying documents to a separate bucket with a lifecycle deletion policy does not restrict access to authenticated users and introduces unnecessary data duplication and operational overhead.

BCreate a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.Correct

S3 presigned URLs allow the application to generate a temporary, signed URL for a specific object using AWS SDK credentials. The URL embeds the caller's identity and a configurable expiration time of 15 minutes, so only the user who receives the URL can access the document during that window, after which the URL becomes invalid.

CUse server-side encryption with AWS KMS managed keys (SSE-KMS) and download the

SSE-KMS encrypts data at rest but does not provide a mechanism to control access duration or generate time-limited download links for specific users.

DModify the S3 bucket policy to only allow specific users to download the documents. Revert the

Modifying and manually reverting bucket policies is not scalable, cannot enforce per-user or per-request time limits, and introduces significant operational risk.

Concept tested: S3 presigned URLs for time-limited authenticated access

Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice