Logo
AWS Certified Developer – Associate / Question #659 of 557

Question #659

A video streaming application uses the AWS SDK for JavaScript on the frontend to retrieve temporary security credentials from AWS STS. The application's media files are stored in an Amazon S3 bucket and distributed via a CloudFront distribution. The current implementation has the AWS credentials hard-coded in a configuration file within the application's source code. The developer needs to eliminate the hard-coded credentials while maintaining the ability to retrieve temporary credentials securely.

Which solution meets these requirements?

A

Add a Lambda@Edge function to the distribution. Configure it to trigger on viewer request. Assign an execution role to the function with permissions to access AWS STS. Move all credential retrieval logic from the frontend into the function.
B

Add a CloudFront function to the distribution. Configure it to trigger on viewer request. Assign an execution role to the function with permissions to access AWS STS. Move all credential retrieval logic from the frontend into the function.
C

Add a Lambda@Edge function to the distribution. Configure it to trigger on viewer request. Embed the credentials from the configuration file into the function's code. Move all credential retrieval logic from the frontend into the function.
D

Add a CloudFront function to the distribution. Configure it to trigger on viewer request. Embed the credentials from the configuration file into the function's code. Move all credential retrieval logic from the frontend into the function.

Explanation

Answer A is correct because Lambda@Edge functions can be assigned an execution role with permissions to access AWS STS, enabling secure retrieval of temporary credentials without hard-coding them. The function triggers on viewer requests, replacing the frontend credential logic.

Options B and D are incorrect because CloudFront Functions cannot assume execution roles or interact with AWS services like STS. Options C and D are invalid because embedding credentials in the function's code reintroduces hard-coded credentials, which violates the requirement.

Key Points:
1. Lambda@Edge supports execution roles for secure AWS service access; CloudFront Functions do not.
2. Temporary credentials should never be hard-coded; using STS with IAM roles is the secure alternative.
3. Viewer-request triggers allow credential retrieval logic to run before serving content via CloudFront.

Answer

The correct answer is: A