You are designing a photo-sharing mobile app. The application will store all pictures in a single Amazon S3 bucket. Users will upload pictures from their mobile devices directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle the potential users in the most secure manner possible.

Answer options:

A.Create a set of long-term credentials using the AWS Security Token Service with appropriate permissions. Store these credentials in the mobile app and use them to access Amazon S3.
B.Set up web identity federation through Amazon Cognito for the mobile app. Use Cognito API operations to get a Cognito token and request temporary security credentials from AWS STS. Use the temporary credentials to access Amazon S3.
C.Record the user’s Information In Amazon DynamoDB. When the user uses their mobile app create temporary credentials using AWS Security Token Service with appropriate permissions. Store these credentials in the mobile app’s memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app.
D.Create an IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret key for the IAM user, store them in the mobile app, and use these credentials to access Amazon S3.
E.Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user. Generate an Access Key and Secret Key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.

Answer – B
This scenario requires the mobile application to have access to the S3 bucket. There are potentially millions of users and a proper security measures should be taken. It is suggested to set up a web identity federation through AWS Cognito.
You can let users sign in using a well-known third-party identity provider such as log in with Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider. You can exchange the credentials from that provider for temporary permissions to use resources in your AWS account. This is known as the web identity federation approach to temporary access. When you use web identity federation for your mobile or web application, you don`t need to create custom sign-in code or manage your own user identities. Using a web identity federation helps you keep your AWS account secure because you don`t have to distribute long-term security credentials, such as IAM user access keys, with your application.
Option A is incorrect because you should always grant the short-term or temporary credentials for the mobile application. This option asks to create long-term credentials.
Option B is CORRECT because it configures the web identity federation through AWS Cognito by generating temporary security credentials using STS "AssumeRole" function.
Option C is incorrect because, even though the setup is very similar to option B, it does not create IAM Role with proper permissions, which is essential.
Option D is incorrect because, it asks to create an IAM User, not the IAM Role - which is not a good solution. You should create an IAM Role to access the AWS Resource via the "AssumeRole" function.
Option E is incorrect because, it asks to create an IAM User, not the IAM Role - which is not a good solution. You should create an IAM Role to access the AWS Resource via the "AssumeRole" function.
For more information on AWS temporary credentials, please refer to the below links-
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_cognito.html