Q38 — AWS DVA-C02 Ch.2
Question 38 of 100 | ← Chapter 2
A company is hosting a workshop for external users and wants to share registration documents with them for 7 days. The company stores the registration documents in its own Amazon S3 bucket. What is the most secure way to share the documents with external users?
- A. Use S3 pre-signed URLs to share the documents with external users. Set a 7-day expiration time. ✓
- B. Move the documents to an Amazon WorkDocs folder and share a link to the WorkDocs folder with external users.
- C. Create a temporary IAM user with read-only access to the S3 bucket. Share the access keys with external users and expire the credentials after 7 days.
- D. Create an IAM role with read-only access to the S3 bucket. Share the role’s Amazon Resource Name (ARN) with external users.
Correct Answer: A. Use S3 pre-signed URLs to share the documents with external users. Set a 7-day expiration time.
Explanation
Option A is the most secure method. S3 pre-signed URLs grant time-limited, granular access to specific objects without exposing bucket policies, credentials, or long-term permissions. Setting a 7-day expiration precisely satisfies the requirement while minimizing attack surface. Option B introduces unnecessary complexity and may not support fine-grained, short-lived access. Option C violates security best practices by distributing long-term IAM credentials externally. Option D shares a role ARN, which cannot be directly assumed by untrusted external users without federation setup and poses significant privilege escalation risks. Thus, A is optimal.