Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 90 discussion

Employees log into the serverless application using an Amazon Cognito User Pool. Once logged in, the application's back-end logic (possibly a Lambda function) generates an S3 pre-signed URL for the requested file. The pre-signed URL is then given to the authenticated user, allowing them secure, time-limited access to that specific S3 object. So, while both Amazon Cognito User Pool and S3 Pre-signed URLs would be used in the solution, S3 Pre-signed URLs (Option B) are the specific feature that allows for the secure, temporary sharing of S3 files. Therefore, Option B would be the best answer to the question of how to "share and access the files securely."

the key words are ability to log in and securely share the files. It is A

A presigned URL doesn't allow you to share files with others. The last line of the question specifically asks which service would give you the ability not only to access but also to share files too. In that case, CIP seems to be the service to give temporary credentials to AWS resources and perform whatever is specified in the bucket policy

A) Eliminated - While Cognito is useful for managing user authentication, it does not directly provide the capability to securely share files from an S3 bucket.

I had my doubt on this, but once more they are evaluating if you are reading with attention and not if you have knowldge hehe tricky question, but the punch line question is What feature would be used to share the files securely, ignoring the login part.

I'll go with B. The question is what the company should use to share and access the files securely. We can ignore the task condition

B is the correct answer.

This option allows secure, temporary access to specific objects in an S3 bucket. By generating presigned URLs, the serverless application can grant users time-limited access to download or upload files without altering the permissions of the S3 bucket or the objects. This method ensures secure access management and is suitable for sharing private files among authenticated users.

in order to log in you need to use cognito user pools

Actually, the quesion is about "what feature will be used by the new serverless application to share and access the files securely". Ability to log in is about "Amazon Cognito user pool". Imagine "Lambda function" and "API Gateway" are created as a serverless app to provide some API. When you call API endpoint, it will login to "Amazon Cognito user pool" and then share files using SDK. How it will share is the next question. My answer is A

The answer must be B. So although in the question it says "gives its employees the ability to log in" (which is hinting towards Cognito User Pools) the question is actually asking: "Which AWS feature should the company use to share and access the files securely?" The question is actually about how to share and access the files securely. Hence it must be the S3 pre-signed URL option. To read up more on S3 pre-signed URLs check here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html

Which AWS feature should the company use to share and access the files securely? So, It's B. S3 Pre-signed URL can used to share S3 object to other people securely.

It's not A, Cognito user pool is not needed, only employees need ability to log in, they can be provided with IAM accounts.

An Amazon Cognito identity pool provides temporary AWS credentials for users who authenticate via Amazon Cognito. This allows your application users (employees, in this case) to securely authenticate and gain access to AWS services like S3 based on their assigned roles and permissions. Through Amazon Cognito, you can manage user identities, control user access to resources, and provide temporary, limited-privilege credentials to access the S3 bucket securely.

I will go with B because its purely asking about sharing and no mention about external logins so we should go by default AWS feature which provides this feature, https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html

ChatGPT: B

Login of external to AWS users, we can use Cognito. Identity Pool is specifically for DynamoDB and S3. Use an identity pool when you need to: Give your users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table. https://repost.aws/knowledge-center/cognito-user-pools-identity-pools