An application runs in a private subnet and already uses Amazon Cognito with a user pool for authentication. The application needs to securely store user documents in an Amazon S3 bucket. Which combination of steps will securely integrate Amazon S3 with the application? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Create an Amazon Cognito identity pool to generate secure Amazon S3 access tokens for users when they successfully log in., Create an Amazon S3 VPC endpoint in the same VPC where the company hosts the application..
Why this is the answer
To securely store user documents in S3 from an application in a private subnet using Cognito for authentication, you need two main components. First, an Amazon Cognito identity pool is necessary. While a user pool handles authentication, an identity pool provides temporary AWS credentials (including S3 access tokens) to authenticated users, allowing them to directly access AWS services like S3. Second, an Amazon S3 VPC endpoint is crucial for secure and private connectivity. This allows the application in the private subnet to access S3 without traversing the public internet, enhancing security and performance. The option to use only the existing user pool is incorrect because user pools primarily handle authentication, not authorization for AWS services like S3. A NAT gateway would allow outbound internet access but doesn't provide private S3 connectivity or the necessary S3 access tokens. Denying requests not initiated from Cognito is not a standard or effective S3 bucket policy for user-specific access. Allowing access only from users' IP addresses is impractical and insecure, as IP addresses can change and are not a reliable form of user authentication for S3.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed