Question #2030
A company hosts an application in a private subnet and uses an Amazon Cognito user pool for user authentication. The company needs to enable the application to securely upload files to an Amazon S3 bucket. Which two steps should be taken to achieve this securely? (Choose two.)
Create an Amazon Cognito identity pool to grant temporary AWS credentials to authenticated users.
Use the existing Amazon Cognito user pool to directly access the S3 bucket.
Configure an S3 VPC gateway endpoint in the VPC to enable private connectivity.
Set up a NAT gateway to allow the application to connect to S3 over the internet.
Attach an S3 bucket policy that restricts access to specific IAM roles.
Explanation
A. Amazon Cognito user pools handle authentication, but identity pools are required to grant temporary AWS credentials, allowing the application to interact with AWS services like S3.
C. A VPC gateway endpoint for S3 ensures secure, private connectivity between the application in the private subnet and S3, avoiding public internet traffic.
Other options:
B. User pools cannot directly grant AWS credentials; identity pools are needed.
D. NAT gateways allow internet access, but a VPC endpoint is more secure and cost-effective for S3 access.
E. While restricting S3 access via IAM roles is a best practice, the question focuses on connectivity and credential mechanisms (A and C). The IAM role from the identity pool inherently grants permissions, making E optional in this scenario.
Answer
The correct answer is: AC