Your mobile application includes a photo-sharing service that is expecting tens of thousands of users at launch.
You will leverage Amazon Simple Storage Service (S3) to store the user Images, and you must decide how to authenticate and authorize your users for access to these images.
You need to follow security best practices and minimize the maintenance overhead when managing the storage of these images.
Which two of the following approaches should you use? Choose two answers from the options below.
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - C and E.
The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
The token can then be used to grant access to the objects in S3.
You can then provide access to the objects based on the key values generated via the user id.
Option A is possible but then becomes a maintenance overhead because of the number of buckets.
Option B is invalid because IAM users is not a good security practice.
Option D is invalid because SMS tokens are not efficient for this requirement.
For more information on the Security Token Service, please refer to the below link:
http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.htmlThe two approaches that should be used to authenticate and authorize users for access to their images stored in Amazon Simple Storage Service (S3) while minimizing maintenance overhead and following security best practices are:
B. Use AWS Identity and Access Management (IAM) user accounts as your application-level user database, and offload the burden of authentication from your application code.
This approach involves creating IAM user accounts that serve as the application-level user database. The IAM service manages the authentication and authorization for these users, which offloads the burden of authentication from the application code. This reduces the maintenance overhead and also ensures that access to the images is controlled through IAM policies that specify who can access the images and what actions they can perform on them. IAM policies can be used to control access at the user, group, or role level, and they can be assigned to S3 buckets or objects. This approach is secure and easy to manage, making it a good choice for managing access to S3 objects.
E. Use a key-based naming scheme comprised of user IDs for all user objects in a single Amazon S3 bucket. Use IAM policies and bucket policy to control permissions. Each user should only have access to its own folder.
This approach involves using a key-based naming scheme comprised of user IDs to name all user objects in a single S3 bucket. Each user has access only to their own folder, which is controlled through IAM policies and bucket policies. This approach is also secure and easy to manage, making it a good choice for managing access to S3 objects. It reduces maintenance overhead by keeping all objects in a single bucket while ensuring that access is restricted to each user's own folder.
The other options are not suitable for managing access to S3 objects because:
A. Creating an S3 bucket per user is not practical for tens of thousands of users, as it would lead to a high number of buckets, which can be difficult to manage and may result in additional costs.
C. Using AWS Security Token Service (STS) to grant token-based authorization to S3 objects requires additional overhead for managing and renewing the tokens, which can be impractical for tens of thousands of users.
D. Creating an S3 bucket with the same name as the SMS message token and moving the user's objects to that bucket is not a practical approach as it would lead to a high number of buckets, which can be difficult to manage and may result in additional costs. Moreover, it is not secure since anyone who knows the SMS message token could potentially access the user's objects.