Question #1076
A developer is building a mobile application that enables users to upload photos to a private S3 bucket. The application must authenticate users via their Amazon credentials and supported third-party social media accounts. Temporary security credentials should be used to ensure secure access without embedding long-term keys.
How should the developer implement this authentication mechanism?
Use Amazon Cognito with web identity federation to authenticate users and grant permissions to the S3 bucket.
Use Amazon Cognito with SAML 2.0 federation to integrate enterprise identity providers for authentication.
Embed IAM user access keys in the application code to authorize S3 PutObject permissions.
Use AWS STS AssumeRole to generate temporary credentials with PutObject permissions on the S3 bucket.
Explanation
Answer A is correct because Amazon Cognito simplifies web identity federation, allowing users to authenticate via Amazon credentials (e.g., Login with Amazon) and third-party providers (e.g., Facebook, Google). Cognito then issues temporary credentials via AWS STS, enabling secure access to the S3 bucket without embedding long-term keys.
Option C is insecure due to embedded long-term keys. Option B uses SAML for enterprise IdPs, not social providers. Option D's STS AssumeRole requires existing credentials and doesn't address authentication, making it incomplete. Cognito (A) abstracts authentication and temporary credential management, aligning with the requirements.
Answer
The correct answer is: D