AWS Certified Solutions Architect – Associate (SAA-C03) — Question 957

A company hosts an application in a private subnet. The company has already integrated the application with Amazon Cognito. The company uses an Amazon Cognito user pool to authenticate users.

The company needs to modify the application so the application can securely store user documents in an Amazon S3 bucket.

Which combination of steps will securely integrate Amazon S3 with the application? (Choose two.)

Answer options

• A. Create an Amazon Cognito identity pool to generate secure Amazon S3 access tokens for users when they successfully log in.
• B. Use the existing Amazon Cognito user pool to generate Amazon S3 access tokens for users when they successfully log in.
• C. Create an Amazon S3 VPC endpoint in the same VPC where the company hosts the application.
• D. Create a NAT gateway in the VPC where the company hosts the application. Assign a policy to the S3 bucket to deny any request that is not initiated from Amazon Cognito.
• E. Attach a policy to the S3 bucket that allows access only from the users' IP addresses.

Correct answer: A, C

Explanation

To authorize authenticated users to access AWS resources like Amazon S3, an Amazon Cognito identity pool is required to exchange user pool tokens for temporary AWS credentials. Additionally, since the application resides in a private subnet, creating an Amazon S3 VPC endpoint allows the application to securely access S3 privately without routing traffic over the public internet.