You are designing a photo-sharing mobile app. The application will store all pictures in a single Amazon S3
bucket.
Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download
their own pictures directly from Amazon S3.
You want to configure security to handle potentially millions of users in the most secure manner possible.
What should your server-side application do when a new user registers on the photo-sharing mobile
application?
A.
Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user. Generate an
access key and secret key for the IAM user, store them in the mobile app and use these credentials to
access Amazon S3.
B.
Create an IAM user. Assign appropriate permissions to the IAM user. Generate an access key and secret
key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
C.
Create a set of long-term credentials using AWS Security Token Service with appropriate permissions.
Store these credentials in the mobile app and use them to access Amazon S3.
D.
Record the user’s information in Amazon RDS and create a role in IAM with appropriate permissions. When
the user uses their mobile app, create temporary credentials using the AWS Security Token Service
“AssumeRole” function. Store these credentials in the mobile app’s memory and use them to access
Amazon S3. Generate new credentials the next time the user runs the mobile app.
E.
Record the user’s information in Amazon DynamoDB. When the user uses their mobile app, create
temporary credentials using AWS Security Token Service with appropriate permissions. Store thesecredentials in the mobile app’s memory and use them to access Amazon S3. Generate new credentials the
next time the user runs the mobile app.
A?
D
D
I’d use Cognito instead; no need to store your own auth.
Use Cloudfront for the photos not direct access to S3 (with OAI)
Then issue signed cookie for CF access to only that user’s photos per https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html
I’m conflicted between D and E. DynamoDB would be appropriate to scale to millions of users. A bucket policy based on provided user name would work. (Of course Cognito / Web ID federation would be much better).
Also, D mentions creating a role. I am confused – one role per user? I don’t think AWS would support that. Maybe the verbiage needs refinement.
Question asks: “… when a new user registers …” – if D, then, are you going to create millions of IAM roles? Currently the # per account is limited to 1000:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
The right answer is E, there should be one IAM role with appropriate permissions – this point is just omitted in the answer.