An AWS customer is deploying a web application composed of a front end running on Amazon EC2 and confidential data stored on Amazon S3.

Answer options:

A.Configure the web application to authenticate end-users against the centralized access management system. Have the web application provision trusted users STS tokens entitling the download of approved data directly from Amazon S3.
B.Encrypt the data on Amazon S3 using a CloudHSM that is operated by a separate security team. Configure the web application to integrate with the CloudHSM for decrypting approved data access operations for trusted end users.
C.Configure the web application to authenticate end-users against the centralized access management system using SAML. Have the end-users authenticate to IAM using their SAML token and download the approved data directly from Amazon S3.
D.Have the separate security team create an IAM Role entitled to access the data on Amazon S3. Have the web application team provision their instances with this Role while denying their IAM users access to the data on Amazon S3.

Answer – A
Option A is CORRECT because the access to the sensitive data on Amazon S3 is only given to the authenticated users. 
Option B is incorrect because S3 doesn’t integrate directly with CloudHSM. Also, there is no centralized access management system control.
Option C is incorrect because this is an incorrect workflow of the use of SAML. It does not mention if the centralized access management system is a SAML complaint.
Option D is incorrect because, with this configuration, the web team would have access to the sensitive data on S3.
 For more information on STS, please refer to the URL-
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html