What is the MOST secure way to share the documents with the external users?
Use S3 presigned URLs to share the documents with the external users. Set an expiration time of 7 days.
Move the documents to an Amazon WorkDocs folder Share the links of the WorkDocs folder with the external users.
Create temporary IAM users that have read-only access to the S3 bucket. Share the access keys with the external users. Expire the credentials after 7 days.
Create a role that has read-only access to the S3 bucket. Share the Amazon Resource Name (ARN) of this role with the external users.
Explanations:
S3 presigned URLs allow temporary, secure access to objects in an S3 bucket, with an expiration time set to 7 days. This is a highly secure method as it grants temporary access to external users without needing to share permanent credentials.
Amazon WorkDocs is not designed for securely sharing S3 files. It requires moving the documents to a different service, which adds unnecessary complexity and may not be as secure as using S3 presigned URLs.
Creating temporary IAM users and sharing access keys introduces unnecessary complexity and security risks. Sharing access keys is not a best practice, as it exposes sensitive credentials and can lead to misuse.
Creating a role with read-only access to the S3 bucket and sharing the ARN is not secure. The external users would need to assume the role, and sharing an ARN alone does not provide secure access. Additionally, IAM roles are typically used for AWS internal resources, not external sharing.