AWS Certified Developer – Associate (DVA-C02) — Question 495

A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to download specific documents when requested, and only for a duration of 15 minutes.

How can the developer meet these requirements?

Answer options

• A. Copy the documents to a separate S3 bucket that has a lifecycle policy for deletion after 15 minutes.
• B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
• C. Use server-side encryption with AWS KMS managed keys (SSE-KMS) and download the documents using HTTPS.
• D. Modify the S3 bucket policy to only allow specific users to download the documents. Revert the change after 15 minutes.

Correct answer: B

Explanation

Generating an S3 presigned URL is the standard AWS mechanism for granting temporary, time-limited access to private S3 objects without modifying bucket policies or exposing the files publicly. S3 lifecycle policies (Option A) would delete the actual files, while modifying bucket policies dynamically (Option D) is impractical and does not scale. Server-side encryption (Option C) protects data at rest and in transit but does not address the 15-minute download window requirement.