A company wants to grant a third-party auditor read-only access to specific CloudTrail log files stored in an S3 bucket. The auditor should not be able to list or access any other objects in the bucket. What is the most secure way to achieve this?
Pre-signed URLs provide time-limited access to specific objects without requiring AWS credentials.
Why this answer
Using S3 pre-signed URLs grants time-limited access to specific objects without requiring the auditor to have AWS credentials. Option A is wrong because it grants broad access. Option B is wrong because a bucket policy granting GetObject for the auditor's IAM user still allows listing if they have ListBucket permission.
Option D is wrong because CloudTrail does not natively provide access to log files.