SAA-C03
00:00:00
Answered: 0 / 65
A company is building a mobile application that allows users to upload photos directly to Amazon S3. The backend uses Amazon Cognito for user authentication. The solutions architect needs to ensure that each authenticated user can only upload to their own folder in S3 (e.g., s3://bucket/users/{cognito-user-id}/) and cannot read or write to other users' folders. Which approach should the architect use?
Create a separate S3 bucket for each user and assign each user an IAM role with access to their own bucket.
Create a Lambda function that validates the user's Cognito token and proxies all S3 upload requests, enforcing folder-level access control.
Create an IAM role for the Cognito identity pool with a policy that uses the ${cognito-identity.amazonaws.com:sub} condition variable to scope S3 access to the authenticated user's folder.
Use S3 bucket ACLs to grant each user read/write access to their own folder prefix.
