How would the developer securely call the API without exposing the access or secret keys?
Configure Amazon Cognito identity pools and exchange the JSON Web Token (JWT) for temporary credentials.
Run the web application in an Amazon EC2 instance with the instance profile configured.
Hardcore the credentials, use Amazon S3 to host the web application, and enable server-side encryption.
Use Amazon Cognito user pool JSON Web Tokens (JWITs) to access the DynamoDB APIs.
Explanations:
Amazon Cognito identity pools provide temporary AWS credentials by exchanging the JWT from the user pool. This allows secure access to DynamoDB without exposing access or secret keys.
Running the application in an EC2 instance with an instance profile would not be appropriate for a front-end web application. The front-end should not rely on EC2 profiles for security.
Hardcoding credentials in the application is insecure and exposes sensitive information, even if hosted in Amazon S3 with server-side encryption. This violates best security practices.
Using the Cognito user pool JWT directly to access DynamoDB is not supported. The JWT is used for user authentication, but additional steps (like using identity pools for temporary credentials) are required to access AWS services securely.
I reckon the answer is:
Configure Amazon Cognito identity pools and exchange the JSON Web Token (JWT) for temporary credentials.