Amazon Exam SCS-C01 Topic 7 Question 66 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 66
Topic #: 7

A web application gives users the ability to log in verify their membership's validity and browse artifacts that are stored in an Amazon S3 bucket. When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example com.

What is the MOST secure way for a security engineer to implement this functionality?

AConfigure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.

BImplement an IAM policy to give the user read access to the S3 bucket.

CCreate an S3 presigned URL Provide the S3 presigned URL to the user through the application.

DCreate an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.

Show Suggested Answer

Suggested Answer: D

For this scenario you would need to set up static website hosting because a custom domain name is listed as a requirement. 'Amazon S3 website endpoints do not support HTTPS or access points. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3.' This is not secure. https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html CloudFront signed URLs allow much more fine-grained control as well as HTTPS access with custom domain names: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

by Latia at Jul 13, 2024, 03:47 AM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Cammy

7 days ago

Option B is a big no-no. Giving users direct access to the S3 bucket is a security nightmare waiting to happen.

upvoted 0 times

...

Reena

9 days ago

Haha, option D sounds like a lot of extra work. Why bother with CloudFront when you can just use the simple presigned URL approach?

upvoted 0 times

...

Jamal

25 days ago

I think configuring read-only access with a bucket ACL and removing access after a set time is a good security measure too.

upvoted 0 times

...

Phuong

28 days ago

I believe creating an S3 presigned URL is also secure, as it limits the access to a specific time period.

upvoted 0 times

...

Eve

29 days ago

I agree with Quinn. Using CloudFront signed URL adds an extra layer of security.

upvoted 0 times

...

Christiane

1 months ago

I agree, C is the best option. Presigned URLs provide a secure way to grant temporary access without managing IAM policies.

upvoted 0 times

...

Kerrie

1 months ago

Option C seems like the most secure choice. Generating a presigned URL allows you to give temporary access without exposing the S3 bucket directly.

upvoted 0 times

Virgilio

23 hours ago

A) Configure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.

upvoted 0 times

...

Leonardo

14 days ago

C) Create an S3 presigned URL Provide the S3 presigned URL to the user through the application.

upvoted 0 times

...

Quinn

2 months ago

I think the most secure way is to create an Amazon CloudFront signed URL.

upvoted 0 times

...