Secure Authentication and Authorization for Amazon S3 Photo-Sharing Service

Authentication and Authorization for Amazon S3 Photo-Sharing Service

Prev Question Next Question

Question

Your mobile application includes a photo-sharing service that is expecting tens of thousands of users at launch.

You will leverage Amazon Simple Storage Service (S3) to store the user Images, and you must decide how to authenticate and authorize your users for access to these images.

You also need to manage the storage of these images.

Which two of the following approaches should you use? Choose two answers from the options below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer - C and E.

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

The token can then be used to grant access to the objects in S3.

You can then provide access to the objects based on the key values generated via the user id.

Option A is possible but then becomes a maintenance overhead because of the number of buckets.

Option B is invalid because IAM users is not a good security practice.

Option D is invalid because SMS tokens are not efficient for this requirement.

For more information on the Security Token Service, please refer to the below link-

https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html

Option A: Create an Amazon S3 bucket per user, and use your application to generate the S3 URL for the appropriate content.

Creating an S3 bucket for each user may result in high costs and maintenance overhead, as you will need to manage a large number of buckets. Additionally, the bucket naming conventions may be difficult to maintain over time. This approach may work for small-scale applications, but for tens of thousands of users, it is not scalable.

Option B: Use AWS Identity and Access Management (IAM) user accounts as your application-level user database, and offload the burden of authentication from your application code.

This is a good option as it allows you to use the built-in IAM authentication and authorization mechanisms provided by AWS. IAM is a centralized service for managing users, groups, and permissions. IAM allows you to control access to AWS services and resources, including S3. By using IAM, you can offload the burden of authentication and authorization from your application code and rely on AWS to manage this for you.

Option C: Authenticate your users at the application level, and use AWS Security Token Service (STS) to grant token-based authorization to S3 objects.

This option allows you to authenticate your users at the application level, but instead of managing authorization within your application, you can use the AWS Security Token Service (STS) to issue temporary security credentials to your users. These credentials are valid for a limited time and can be used to access S3 objects. This approach can help improve security by reducing the risk of long-term credential theft.

Option D: Authenticate your users at the application level, and send an SMS token message to the user. Create an Amazon S3 bucket with the same name as the SMS message token, and move the user's objects to that bucket.

This approach is not recommended as it may be difficult to manage and maintain over time. Additionally, it may be hard to scale this approach as it requires creating a new bucket for each user.

Option E: Use a key-based naming scheme comprised from the user IDs for all user objects in a single Amazon S3 bucket.

This approach is a good option as it allows you to store all user objects in a single S3 bucket, reducing the overhead of managing multiple buckets. By using a key-based naming scheme that includes the user ID, you can easily identify and manage user objects. Additionally, S3 provides fine-grained access control that can be used to manage authorization for individual objects.