Question #828
A company hosts a web application on Amazon EC2 instances. The application allows authenticated users to upload and download files stored in an Amazon S3 bucket. The developer enabled S3 Block Public Access for the bucket, after which users report being unable to download their files. The developer must ensure that only authenticated users can download objects, using the most secure method. Which two steps should be taken? (Choose two.)
Create an IAM role with permissions to access the S3 bucket and attach it to the EC2 instance profile.
Store IAM user access keys on the EC2 instances and configure the application to use them for S3 access.
Modify the application to generate presigned URLs for users to download objects directly from S3.
Update the application to retrieve objects from S3 and serve them directly to users through the application.
Configure the S3 bucket policy to allow access from the EC2 instances' public IP addresses.
Explanation
The issue arises because enabling S3 Block Public Access blocks all public access, requiring authenticated access.
- A is correct: Attaching an IAM role to the EC2 instance profile allows the application to securely access S3 using temporary credentials, avoiding long-term access keys (B is insecure).
- C is correct: Presigned URLs grant time-limited access to specific S3 objects, ensuring only authenticated users download files without exposing the bucket publicly.
Why others are incorrect:
- B: Storing access keys on EC2 risks exposure if compromised.
- D: Serving files through EC2 adds unnecessary load and latency compared to direct S3 access via presigned URLs.
- E: S3 Block Public Access overrides bucket policies allowing public IP access, making this ineffective.
Key Points:
1. Use IAM roles for EC2 to access AWS resources securely.
2. Presigned URLs provide secure, temporary access to private S3 objects.
3. Avoid long-term credentials and public access configurations when Block Public Access is enabled.
Answer
The correct answer is: AC