Question 30: You are working with a company called AcmeExam.com they provide exam preparation material which can be download by the users who have subscribed and recently purchased them. You will be storing all the downloadable material in S3 bucket. How can you protect that material so that un-authorized user cannot download it?

1. You will be sharing URL of the object only with the user who had purchased, and mark this URL as not searchable.
2. You will be creating temporary credentials for the user who purchased the exam material and share those credentials with the user and those credential will expire after 60 mins.
3. You will be creating pre-signed URLs for the objects this pre-signed URL will expire after 30 mins.
4. You will be creating a role and you will assigning role to each user who had purchased the product.

Ans : C

Detailed Explanation : In the given scenario if you see that end user should be able to download the exam material from S3 bucket. However, this is not a highly protective requirement, because once I download than I can share the material among my friends or put in the Google Drive and allow public to download it. But this is illegal.

However, you don’t have control on who can share with whom. But still you want that the object from your bucket should not be available all the time to be downloaded by public. Hence, you need a solution in which URL should be active only for few minutes e.g. 30 mins or 60 mins. You can create a pre-signed URL for that. Please check below statements for pre-signed URL.

1. Any object you are sharing in S3 bucket is a private initially and only object owner has the permissions.
2. You can share objects in S3 bucket with the URL which will be active only for limited time, and they user can use their own credentials to download that object. This can be done using pre-signed URL.
3. While creating pre-signed URL you need
   1. Your credentials
   2. Bucket name and object Key
   3. HTTP method to download object e.g. Get method. To upload you provide PUT method.
   4. Expiration Date and Time.
4. You can even use the pre-signed URL to upload an object, you can upload object only if the creator of the pre-signed URL has the necessary permission to upload that object.

Other options are not correct, sharing credentials with the end user is never ever recommended. Hence, option 2 is already out.

Option-1 is also out because URL can be easily shared with anybody or can be publicly posted on internet. Hence, this option is also out.

Option-4 we don’t want to give long term access to the material. Hence, this is also not a good solution.