A company stores an AWS CloudFormation template in an Amazon S3 bucket that blocks public access. The company wants to grant CloudFormation access to the template based on specific user requests to create a test environment, following security best practices. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a presigned URL for the template object. Configure the CloudFormation stack to use the presigned URL..
Why this is the answer
Creating a presigned URL for the template object is the most secure and practical solution. A presigned URL grants temporary, limited-time access to a private S3 object, allowing CloudFormation to retrieve the template without making the bucket or object publicly accessible. This aligns with security best practices by providing access only when needed and for a defined duration. Creating a gateway VPC endpoint for S3 is useful for private access from within a VPC but doesn't solve the problem of granting CloudFormation access to a private S3 object from outside the VPC or for specific user requests. An API Gateway REST API would add unnecessary complexity and overhead for simply accessing an S3 object. Allowing public access to the S3 object, even temporarily, is a significant security risk and violates the principle of least privilege.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed