18. CloudFront Signed URL’s and Cookies

A signed URL is for individual files. 1 file = 1 URL
A signed Cookie is for multiple files. 1 cookie = multiple files

When we create a signed URL or signed cookie, we attach a policy and the policy can include:
i. URL expiration
ii. IP ranges
iii. Trusted signers

If Origin is EC2 then use CloudFront.

Question 1:
What two attributes are only associated with CloudFront private content?
A. Amazon S3 URL
B. signed cookies
C. web distribution
D. signed URL
E. object
Answer (B,D)

Question 2:
Your company shares some HR videos stored in an Amazon S3 bucket via CloudFront. You need to restrict access to the private content so users coming from specific IP addresses can access the videos and ensure direct access via the Amazon S3 bucket is not possible.
How can this be achieved?
Options:
A. Configure CloudFront to require users to access the files using a signed URL, and configure the S3 bucket as a website endpoint
B. Configure CloudFront to require users to access the files using a signed URL, create an origin access identity (OAI) and restrict access to the files in the Amazon S3 bucket to the OAI
C. Configure CloudFront to require users to access the files using signed cookies, create an origin access identity (OAI) and instruct users to login with the OAI
D. Configure CloudFront to require users to access the files using signed cookies, and move the files to an encrypted EBS volume
Answer: B
Explanation
A signed URL includes additional information, for example, an expiration date and time, that gives you more control over access to your content. You can also specify the IP address or range of IP addresses of the users who can access your content.
If you use CloudFront signed URLs (or signed cookies) to limit access to files in your Amazon S3 bucket, you may also want to prevent users from directly accessing your S3 files by using Amazon S3 URLs. To achieve this you can create an origin access identity (OAI), which is a special CloudFront user, and associate the OAI with your distribution.
You can then change the permissions either on your Amazon S3 bucket or on the files in your bucket so that only the origin access identity has read permission (or read and download permission).
CORRECT: “Configure CloudFront to require users to access the files using a signed URL, create an origin access identity (OAI) and restrict access to the files in the Amazon S3 bucket to the OAI” is the correct answer.
INCORRECT: “Configure CloudFront to require users to access the files using signed cookies, create an origin access identity (OAI) and instruct users to login with the OAI” is incorrect. Users cannot login with an OAI.
INCORRECT: “Configure CloudFront to require users to access the files using signed cookies, and move the files to an encrypted EBS volume” is incorrect. You cannot use CloudFront to pull data directly from an EBS volume.
INCORRECT: “Configure CloudFront to require users to access the files using a signed URL, and configure the S3 bucket as a website endpoint” is incorrect. You cannot use CloudFront and an OAI when your S3 bucket is configured as a website endpoint.