The best practice to securely provide short-term access to AWS resources, such as Amazon S3, without using long-term credentials, is to use AWS Security Token Service (STS). According to the AWS IAM Best Practices and the Security Pillar of the AWS Well-Architected Framework, temporary credentials should always be used over long-term credentials when possible.
From AWS IAM Documentation:
“Use temporary credentials (IAM roles and AWS STS) instead of long-term access keys. Temporary security credentials are short-term, automatically expire, and are retrieved using AWS STS.”
(Source: IAM Best Practices – IAM User Guide)
Option D outlines the use of a trust relationship and assume-role mechanism via AWS STS. This allows the on-premises application to request temporary, scoped-down credentials to upload files to S3 securely. This approach is:
Secure – Uses short-lived credentials with least privilege
Scalable – No need for EC2 or VPN tunnels
Low Operational Overhead – No infrastructure to maintain
AWS-Recommended – Aligned with security best practices
In contrast:
Option A uses long-term credentials, which is a security risk.
Option B requires additional infrastructure (EC2, VPN), increasing complexity and cost.
Option C relies on IP-based access, which is insecure and not a form of identity-based authentication.
[References:, AWS IAM Best Practices – "Use temporary credentials", AWS Security Token Service – "Temporary Security Credentials", AWS Well-Architected Framework – Security Pillar, , , ]
