AWS Certified Developer – Associate — Question 363

A developer is building a web and mobile application for two types of users: regular users and guest users. Regular users are required to log in, but guest users do not log in. Users should see only their data, regardless of whether they authenticate. Users need AWS credentials before they can access AWS resources.

What is the MOST secure solution that the developer can implement to allow access for guest users?

Answer options

• A. Use an Amazon Cognito credentials provider to issue temporary credentials that are linked to an unauthenticated role that has access to the required resources.
• B. Set up an IAM user that has permissions to the required resources. Hardcode the IAM credentials in the web and mobile application.
• C. Generate temporary keys that are stored in AWS Key Management Service (AWS KMS). Use the temporary keys to access the required resources.
• D. Generate temporary credentials. Store the temporary credentials in AWS Secrets Manager. Use the temporary credentials to access the required resources.

Correct answer: A

Explanation

Amazon Cognito identity pools are designed specifically to support both authenticated and unauthenticated (guest) identities, allowing the vending of temporary, limited-privilege AWS credentials via IAM roles. Hardcoding IAM credentials is a severe security risk and violates best practices. Utilizing AWS KMS or AWS Secrets Manager is inappropriate for delivering temporary user-specific AWS credentials directly to client-side applications.