Answer-first summary for fast verification
Answer: Update the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content.
## Explanation **Correct Answer: A** **Why Option A is correct:** 1. **Amazon Cognito Identity Pools** (now called Amazon Cognito Federated Identities) are used to provide temporary AWS credentials to authenticated users. These credentials allow users to access AWS resources like S3 buckets. 2. When users authenticate with Amazon Cognito User Pools, they receive a JWT token. However, to access AWS resources (like the protected S3 bucket), they need temporary AWS credentials, which are provided by the Identity Pool. 3. The Identity Pool assumes an IAM role to provide these temporary credentials to authenticated users. If the IAM role doesn't have proper permissions to access the protected S3 bucket, users will get access denied errors. 4. By updating the Amazon Cognito identity pool to assume the proper IAM role with appropriate S3 permissions, users will receive credentials that allow them to access the protected content. **Why other options are incorrect:** **Option B:** S3 ACLs are legacy access control mechanisms that are generally not recommended for new applications. More importantly, the issue is about authenticated users accessing protected content, which requires proper IAM permissions through the Identity Pool, not just S3 ACLs. **Option C:** Redeploying the application to prevent eventually consistent reads doesn't address the permission issue. Eventually consistent reads are about data consistency, not authentication/authorization problems. **Option D:** Custom attribute mappings in the identity pool are used to map user attributes from the identity provider to IAM session tags, but this doesn't directly grant permissions. The core issue is that the IAM role assumed by the identity pool lacks proper S3 permissions. **Key AWS Concepts:** - **Amazon Cognito User Pools**: User directory and authentication service - **Amazon Cognito Identity Pools**: Provides temporary AWS credentials to authenticated users - **IAM Roles**: Define permissions for AWS services and resources - **JWT Tokens**: Used for authentication but not for AWS resource access directly **Solution Architecture:** 1. Users authenticate with Cognito User Pool → Get JWT 2. JWT is exchanged for temporary AWS credentials via Identity Pool 3. Identity Pool assumes IAM role to provide credentials 4. Users use credentials to access protected S3 content 5. If IAM role lacks S3 permissions → Access denied → Fix by updating role permissions
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is hosting a web application from an Amazon S3 bucket. The application uses Amazon Cognito as an identity provider to authenticate users and return a JSON Web Token (JWT) that provides access to protected resources that are stored in another S3 bucket.
Upon deployment of the application, users report errors and are unable to access the protected content. A solutions architect must resolve this issue by providing proper permissions so that users can access the protected content.
Which solution meets these requirements?
A
Update the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content.
B
Update the S3 ACL to allow the application to access the protected content.
C
Redeploy the application to Amazon S3 to prevent eventually consistent reads in the S3 bucket from affecting the ability of users to access the protected content.
D
Update the Amazon Cognito pool to use custom attribute mappings within the identity pool and grant users the proper permissions to access the protected content.