Q3 — AWS DVA-C02 Ch.2

Question 3 of 100 | ← Chapter 2

A company maintains copies of customer ID cards in its on-premises systems. The company wants its on-premises systems to upload ID card images directly to an Amazon S3 bucket. What is the most secure solution to meet this requirement?

Correct Answer: B. Use the AWS SDK to upload images directly from the on-premises system to the S3 bucket. Create an IAM role. Attach a policy granting s3:PutObject permission to the role. Configure the on-premises system to use the AssumeRole functionality in the AWS SDK to authenticate to AWS.

Explanation

Option B is the most secure because it avoids long-term credentials: the on-premises system assumes an IAM role using temporary credentials via the AWS SDK’s AssumeRole, eliminating the need to store permanent access keys. The IAM role can be scoped to grant only s3:PutObject permissions on the specific S3 bucket. Option A is less secure due to reliance on long-term IAM user credentials stored on-premises. Option C introduces unnecessary complexity and security risk via a Site-to-Site VPN. Option D exposes a public API endpoint, increasing attack surface, and adds complexity with Cognito user management. Thus, option B provides secure, auditable, and minimal-privilege access.