AWS SAA-C03 Exam: Troubleshooting Pre-Signed URLs Error

Troubleshooting Pre-Signed URLs Error

Prev Question Next Question

Question

You have an application on EC2 which stores the files in an S3 bucket.

EC2 is being launched using a role that has GetObject permissions on the S3 bucket defined in its policy.

The users who authenticate this application will get a pre-signed URL for the files in an S3 bucket using EC2 role temporary credentials.

However, users are reporting that they get an error when accessing pre-signed URLs.

What could be the reason? (SELECT TWO)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A, C.

All objects in S3 are private by default.

Only the object owner has permission to access these objects.

However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects.

Anyone who receives the pre-signed URL can then access the object.

For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a pre-signed URL.

For more information, refer to the documentation here.

https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

For option A, while generating pre-signed URL programmatically using SDK/API, we estimate how long the URL should be valid.

When the URL is accessed after the specified duration, you will get an error.

For option B, AWS recommends using temporary credentials whenever users need time-limited access to AWS resources instead of using IAM users for each request.

For more information on temporary credentials, refer to the documentation here.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

For option C, if a bucket policy contains Effect as Deny, you must whitelist all the IAM resources which need access on the bucket.

Otherwise, IAM resources cannot access the S3 bucket even if they have full access.

For detailed information on how to restrict the bucket, refer to documentation here.

https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

For option D, the policy is an optional parameter when temporary credentials are generated using AssumeRole (which is how EC2 generates temporary credentials using instance-profile)

There is no default policy.

Policy
An IAM policy in JSON format.

This parameter is optional. If you pass a policy to this operation, the resulting temporary credentials have the
permissions of the assumed role and the policy that you pass. This gives you a way to further restrict the
permissions for the resulting temporary security credentials. You cannot use the passed policy to grant
permissions that are in excess of those allowed by the permissions policy of the role that is being assumed. For
more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebidentity in
the /AM User Guide.

The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in
length. The characters can be any ASCII character from the space character to the end of the valid character list
(\u0020-\UOOFF). It can also include the tab (\u0009), linefeed (\UOOOA), and carriage return (\UOOOD) characters.

Note

The policy plaintext must be 2048 bytes or shorter. However, an internal conversion compresses it
into a packed binary format with a separate limit. The PackedPolicySize response element indicates

by percentage how close to the upper size limit the policy is, where 100 percent is the maximum
allowed size.

Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Pattern: [\u@009\u@@GA\ueeeD\uee20-\UOFF]+

Required: No

The most likely reasons why users are reporting errors when accessing pre-signed URLs are:

A. Pre-Signed URLs expired: Pre-signed URLs are valid for a limited duration of time, which is set when the URL is generated. If the users are accessing pre-signed URLs after their expiration time, they will receive an error.

C. Bucket has a "Deny" policy. EC2 role not whitelisted in the policy statement with Allow: It is possible that the S3 bucket has a "Deny" policy, which prevents access to the bucket for all users or roles, including the EC2 instance role. If the EC2 instance role is not whitelisted in the policy statement with Allow, users will receive an error when accessing pre-signed URLs.

B. Logged in user must be an IAM user to download the file through a pre-signed URL: This is not a valid reason why users are reporting errors when accessing pre-signed URLs. Pre-signed URLs can be used by any user, including anonymous users, to access S3 objects if they have the correct URL.

D. The default policy on temporary credentials does not have GetObject privileges on an S3 bucket: This is also not a valid reason why users are reporting errors when accessing pre-signed URLs. The EC2 instance role has GetObject permissions on the S3 bucket defined in its policy. The pre-signed URLs generated using the EC2 role temporary credentials inherit the permissions of the role, so they should also have GetObject privileges on the S3 bucket.

Therefore, the two most likely reasons for the error are A and C.