Question #750
A developer is building a mobile application that allows guest users to access features without any form of authentication. What is the MOST secure way to provide temporary access to AWS resources for these users?
Integrate a third-party identity provider to issue temporary credentials for AWS resource access.
Use AWS CloudFormation to dynamically provision IAM users for each guest session.
Generate short-lived credentials via AWS STS and embed them directly in the application code.
Configure Amazon Cognito to assign unauthenticated users an IAM role with restricted permissions.
Explanation
Option D is correct because Amazon Cognito is designed to handle unauthenticated (guest) users by issuing temporary AWS credentials via IAM roles. These roles can be configured with minimal permissions (least privilege), ensuring secure access to AWS resources. Cognito automatically manages credential rotation and session duration, reducing security risks.
Why other options are incorrect:
- A: Third-party identity providers require authentication, which contradicts the 'guest users' requirement.
- B: Creating IAM users per session is impractical, scales poorly, and violates AWS best practices (IAM users are for long-term identities).
- C: Embedding credentials in code is insecure, as they can be extracted from the app, leading to potential misuse.
Key Points:
1. Use Cognito for guest/unauthenticated access.
2. Temporary credentials via IAM roles ensure security.
3. Avoid hardcoding credentials or creating IAM users for temporary access.
Answer
The correct answer is: D