AWS Certified Solutions Architect – Associate (SAA-C03) — Question 303

A company is hosting a web application from an Amazon S3 bucket. The application uses Amazon Cognito as an identity provider to authenticate users and return a JSON Web Token (JWT) that provides access to protected resources that are stored in another S3 bucket.

Upon deployment of the application, users report errors and are unable to access the protected content. A solutions architect must resolve this issue by providing proper permissions so that users can access the protected content.

Which solution meets these requirements?

Answer options

• A. Update the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content.
• B. Update the S3 ACL to allow the application to access the protected content.
• C. Redeploy the application to Amazon S3 to prevent eventually consistent reads in the S3 bucket from affecting the ability of users to access the protected content.
• D. Update the Amazon Cognito pool to use custom attribute mappings within the identity pool and grant users the proper permissions to access the protected content.

Correct answer: A

Explanation

Amazon Cognito identity pools provide temporary AWS credentials to authenticated users so they can access AWS services directly. To allow users to access protected resources in an Amazon S3 bucket, the identity pool must be configured to assume an IAM role that contains the necessary permissions. Modifying S3 ACLs or using custom attribute mappings does not grant the required AWS credentials to the authenticated Cognito users.