Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 58 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02

Question #: 58
Topic #: 1

[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

An application hosted on AWS is experiencing performance problems, and the application vendor wants to perform an analysis of the log file to troubleshoot further. The log file is stored on Amazon S3 and is 10 GB in size. The application owner will make the log file available to the vendor for a limited time.
What is the MOST secure way to do this?

A. Enable public read on the S3 object and provide the link to the vendor.
B. Upload the file to Amazon WorkDocs and share the public link with the vendor.
C. Generate a presigned URL and have the vendor download the log file before it expires.
D. Create an IAM user for the vendor to provide access to the S3 bucket and the application. Enforce multi-factor authentication.

Show Suggested Answer

Suggested Answer: C 🗳️
Share an object with others -
All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.
When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name, an object key, specify the HTTP method
(GET to download the object) and expiration date and time. The presigned URLs are valid only for the specified duration.
Anyone who receives the presigned URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a presigned URL.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

by DK2 at June 5, 2020, 2:19 a.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

DK2

Highly Voted 3 years, 9 months ago

C here.

upvoted 47 times

aguy9

3 years, 8 months ago

I agree, it is C

upvoted 4 times

...

dkcloudguru

Highly Voted 3 years, 9 months ago

C is the correct. A and B providing public link which security concerns. option D is not suitable because here in question it is a vendor user accessing a log file, here user use to access the application which is hosted in AWS he is not the one who has access permission to AWS console management so creating IAM is not feasible.

upvoted 21 times

3 years, 8 months ago

i have to disagree with the common logic here. For me the answer is D because in C you allow the user to directly download the logs and have them or even distribute them. D is the most secure because you create account for the user... give me the read access and have full control over what he can copy paste even.

upvoted 1 times

Toks2021

3 years, 8 months ago

Exactly my thoughts!

upvoted 1 times

...

anotherlameaccount

3 years, 8 months ago

nevertheless, I see now that in D they say give access to log files and app both. so it seems like a wrong answer. The next best is C in that case. I would always do the D approach in real life scenario tho.... It is 100 times more secure

upvoted 5 times

...

Hari_krish

3 years, 8 months ago

A presigned URL is generated by an AWS user who has access to the object. The generated URL is then given to the unauthorized user. The presigned URL can be entered in a browser or used by a program or HTML webpage. The credentials used by the presigned URL are those of the AWS user who generated the URL. A presigned URL remains valid for a limited period of time which is specified when the URL is generated.

upvoted 1 times

...

Load full discussion...