You have an application on EC2 which stores the files in an S3 bucket. EC2 is being launched using a role that has GetObject permissions on the S3 bucket defined in its policy. The users who authenticate this application will get a pre-signed URL for the files in an S3 bucket using EC2 role temporary credentials. However, users are reporting that they get an error when accessing pre-signed URLs. What could be the reason? (SELECT TWO)

Answer options:

A.Pre-Signed URLs expired.
B.Logged in user must be an IAM user to download the file through a pre-signed URL.
C.Bucket has a "Deny" policy. EC2 role not whitelisted in the policy statement with Allow.
D.The default policy on temporary credentials does not have GetObject privileges on a S3 bucket.

Answer: A, C
All objects in S3 are private by default. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects.
Anyone who receives the pre-signed URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a pre-signed URL.
For more information, refer to the documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
For option A, while generating pre-signed URL programmatically using SDK/API, we estimate how long the URL should be valid. When the URL is accessed after the specified duration, you will get an error.
For option B, AWS recommends using temporary credentials whenever users need time-limited access to AWS resources instead of using IAM users for each request.
For more information on temporary credentials, refer to the documentation here. 
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
For option C, if a bucket policy contains Effect as Deny, you must whitelist all the IAM resources which need access on the bucket. Otherwise, IAM resources cannot access the S3 bucket even if they have full access.
For detailed information on how to restrict the bucket, refer to documentation here. 
https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
For option D, the policy is an optional parameter when temporary credentials are generated using AssumeRole (which is how EC2 generates temporary credentials using instance-profile). There is no default policy.