Q3 — AWS DVA-C02 Ch.2
Question 3 of 100 | ← Chapter 2
A company maintains copies of customer ID cards in its on-premises systems. The company wants its on-premises systems to upload ID card images directly to an Amazon S3 bucket. What is the most secure solution to meet this requirement?
- A. Use the AWS SDK to upload images directly from the on-premises system to the S3 bucket. Create an IAM user. Attach a policy granting s3:PutObject permission to the user. Configure the on-premises system to authenticate to AWS using the generated access key and secret.
- B. Use the AWS SDK to upload images directly from the on-premises system to the S3 bucket. Create an IAM role. Attach a policy granting s3:PutObject permission to the role. Configure the on-premises system to use the AssumeRole functionality in the AWS SDK to authenticate to AWS. ✓
- C. Use S3 presigned URLs to upload images directly from the on-premises system to the S3 bucket. Generate presigned URLs using an AWS Lambda function and a private REST API endpoint. Establish an AWS Site-to-Site VPN connection between the on-premises network and a VPC to allow the on-premises system to call the API and receive presigned URLs.
- D. Use S3 presigned URLs to upload images directly from the on-premises system to the S3 bucket. Generate presigned URLs using an AWS Lambda function and a public REST API endpoint. Protect the API using an Amazon Cognito authorizer. Create a Cognito user for the on-premises system to authenticate and call the API to receive presigned URLs.
Correct Answer: B. Use the AWS SDK to upload images directly from the on-premises system to the S3 bucket. Create an IAM role. Attach a policy granting s3:PutObject permission to the role. Configure the on-premises system to use the AssumeRole functionality in the AWS SDK to authenticate to AWS.
Explanation
Option B is the most secure because it avoids long-term credentials: the on-premises system assumes an IAM role using temporary credentials via the AWS SDK’s AssumeRole, eliminating the need to store permanent access keys. The IAM role can be scoped to grant only s3:PutObject permissions on the specific S3 bucket. Option A is less secure due to reliance on long-term IAM user credentials stored on-premises. Option C introduces unnecessary complexity and security risk via a Site-to-Site VPN. Option D exposes a public API endpoint, increasing attack surface, and adds complexity with Cognito user management. Thus, option B provides secure, auditable, and minimal-privilege access.