🔥 3-day streak
AWS Certified Developer - Associate39 / 150
Question 39 of 150

A photo-sharing mobile app uses an Amazon Cognito identity pool to grant users temporary AWS credentials so they can upload images directly to an S3 bucket. Each user must be able to read and write ONLY objects under a prefix that matches their own Cognito identity ID (for example, private/${cognito-identity.amazonaws.com:sub}/). The developer wants to enforce this isolation without creating a separate IAM role per user. What is the MOST appropriate way to implement this?

Reviewed for accuracy · Report an issueNext question