AWS Certified SysOps Administrator – Associate — Question 325

A SysOps administrator wants to securely share an object from a private Amazon S3 bucket with a group of users who do not have an AWS account.

What is the MOST operationally efficient solution that will meet this requirement?

Answer options

• A. Attach an S3 bucket policy that only allows object downloads from the users' IP addresses.
• B. Create an IAM role that has access to the object. Instruct the users to assume the role.
• C. Create an IAM user that has access to the object. Share the credentials with the users.
• D. Generate a presigned URL for the object. Share the URL with the users.

Correct answer: D

Explanation

Generating a presigned URL is the most operationally efficient way to grant temporary access to a private S3 object for users who do not have AWS credentials. Creating IAM users or roles is impractical and violates security best practices when sharing access with external parties. Restricting access by IP address via a bucket policy is difficult to manage and does not provide a secure, individualized access mechanism for non-AWS users.