You have an application on EC2 which stores the files in an S3 bucket.
EC2 is being launched using a role that has GetObject permissions on the S3 bucket defined in its policy.
The users who authenticate this application will get a pre-signed URL for the files in an S3 bucket using EC2 role temporary credentials.
However, users are reporting that they get an error when accessing pre-signed URLs.
What could be the reason? (SELECT TWO)
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A, C.
All objects in S3 are private by default.
Only the object owner has permission to access these objects.
However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects.
Anyone who receives the pre-signed URL can then access the object.
For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a pre-signed URL.
For more information, refer to the documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.htmlFor option A, while generating pre-signed URL programmatically using SDK/API, we estimate how long the URL should be valid.
When the URL is accessed after the specified duration, you will get an error.
For option B, AWS recommends using temporary credentials whenever users need time-limited access to AWS resources instead of using IAM users for each request.
For more information on temporary credentials, refer to the documentation here.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.htmlFor option C, if a bucket policy contains Effect as Deny, you must whitelist all the IAM resources which need access on the bucket.
Otherwise, IAM resources cannot access the S3 bucket even if they have full access.
For detailed information on how to restrict the bucket, refer to documentation here.
https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/For option D, the policy is an optional parameter when temporary credentials are generated using AssumeRole (which is how EC2 generates temporary credentials using instance-profile)
There is no default policy.
The most likely reasons why users are reporting errors when accessing pre-signed URLs are:
A. Pre-Signed URLs expired: Pre-signed URLs are valid for a limited duration of time, which is set when the URL is generated. If the users are accessing pre-signed URLs after their expiration time, they will receive an error.
C. Bucket has a "Deny" policy. EC2 role not whitelisted in the policy statement with Allow: It is possible that the S3 bucket has a "Deny" policy, which prevents access to the bucket for all users or roles, including the EC2 instance role. If the EC2 instance role is not whitelisted in the policy statement with Allow, users will receive an error when accessing pre-signed URLs.
B. Logged in user must be an IAM user to download the file through a pre-signed URL: This is not a valid reason why users are reporting errors when accessing pre-signed URLs. Pre-signed URLs can be used by any user, including anonymous users, to access S3 objects if they have the correct URL.
D. The default policy on temporary credentials does not have GetObject privileges on an S3 bucket: This is also not a valid reason why users are reporting errors when accessing pre-signed URLs. The EC2 instance role has GetObject permissions on the S3 bucket defined in its policy. The pre-signed URLs generated using the EC2 role temporary credentials inherit the permissions of the role, so they should also have GetObject privileges on the S3 bucket.
Therefore, the two most likely reasons for the error are A and C.