Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 325 discussion

To resolve the issue and provide proper permissions for users to access the protected content, the recommended solution is: A. Update the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content. Explanation: Amazon Cognito provides authentication and user management services for web and mobile applications. In this scenario, the application is using Amazon Cognito as an identity provider to authenticate users and obtain JSON Web Tokens (JWTs). The JWTs are used to access protected resources stored in another S3 bucket. To grant users access to the protected content, the proper IAM role needs to be assumed by the identity pool in Amazon Cognito. By updating the Amazon Cognito identity pool with the appropriate IAM role, users will be authorized to access the protected content in the S3 bucket.

A is the best solution as it directly addresses the issue of permissions and grants authenticated users the necessary IAM role to access the protected content. A suggests updating the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content. This is a valid solution, as it would grant authenticated users the necessary permissions to access the protected content.

IAM role is assinged to IAM users or groups or assumed by AWS service. So IAM role is given to AWS Cognito service which provides temporary AWS credentials to authenticated users. so technically When a user is authenticated by Cognito, they receive temporary credentials based on the IAM role tied to the Cognito identity pool. If this IAM role has permissions to access certain S3 buckets or objects, the authenticated user will be able to access those resources as allowed by the role. This service is used under the hood by Cognito to provide these temporary credentials. The credentials are limited in time and scope based on the permissions defined in the IAM role.

A. Update the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content.

Services access other services via IAM Roles. Hence why updating AWS Cognito identity pool to assume proper IAM Role is the right solution.

Amazon Cognito identity pools assign your authenticated users a set of temporary, limited-privilege credentials to access your AWS resources. The permissions for each user are controlled through IAM roles that you create. https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

A makes no sense - Cognito is not accessing the S3 resource. It just returns the JWT token that will be attached to the S3 request. D is the right answer, using custom attributes that are added to the JWT and used to grant permissions in S3. See https://docs.aws.amazon.com/cognito/latest/developerguide/using-attributes-for-access-control-policy-example.html for an example.

Services access other services via IAM Roles.

ANSWER - A https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-identity-pool.html You have to create an custom role such as read-only

Answer is A