Your organization AWS Setup has an AWS S3 bucket which stores confidential documents which can be only downloaded by users authenticated and authorized via your application. You do not want to create IAM users for each of these users and as a best practice you have decided to generate AWS STS Federated User temporary credentials each time when a download request is made and then use the credentials to generate presigned URL and redirect user for download. However, when user is trying to access the presigned URL, they are getting Access Denied Error. What could be the reason?

Answer options:

A.AWS STS service must be given access in S3 bucket ACL.
B.IAM User used to generate Federated User credentials does not have access on S3 bucket.
C.IAM Role used to generate Federated User credentials does not have access on S3 bucket.
D.Your application must be whitelisted in AWS STS service to perform FederatedUser action.

Answer: B
Option A is not a correct statement.
Option B is correct.
https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
Option C is not correct.
You can generated FederatedUser credentials using an IAM User, not using an IAM Role.
 Option D is not a correct statement.