A social media application uses the AWS SDK for JavaScript on the frontend to get user cr…

Question

A social media application uses the AWS SDK for JavaScript on the frontend to get user credentials from AWS Security Token Service (AWS STS). The application stores its assets in an Amazon S3 bucket. The application serves its content by using an Amazon CloudFront distribution with the origin sot to the S3 bucket. The credentials for the role that the application assumes to make the SDK calls are stored in plaintext in a JSON file within the application code. The developer needs to implement a solution that will allow the application to get user credentials without having any credentials hardcoded in the application code. Which solution will meet these requirements?

Accepted Answer

Correct answer: A. A. Add a Lambda@Edge function to the distribution. Invoke the function on viewer request. Add permissions to the function's execution role to allow the function to access AWS STS. Move all SDK calls from the frontend into the function. — Lambda@Edge supports IAM execution roles, which allows the function to securely assume roles and interact with AWS STS without hardcoding any credentials. CloudFront functions are not suitable because they do not support IAM execution roles or external network calls to the AWS STS API. Additionally, moving the credentials directly into the function code as plaintext would still represent a hardcoded security risk, making options C and D incorrect.

AWS Certified Developer – Associate — Question 285

Answer options

Correct answer: A

Explanation