AWS Certified Advanced Networking - Specialty: Cloudfront Distribution Access Control

Ensure Secure Content Access with Cloudfront Distribution

Prev Question Next Question

Question

Your company is currently using a Cloudfront distribution to distribute content to users.

Which of the following can be used to ensure that only authorized users can access content from the distribution.

Choose 2 answers from the options below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B and C.

The AWS Documentation mentions the following on Cloudfront signed cookies and OAI.

CloudFront signed cookies allow you to control who can access your content when you don't want to change your current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the subscribers' area of a website.

For more information on signed cookies, please refer to below URL:

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html

For more information on OAI, please refer to below URL:

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

To ensure that only authorized users can access content from a Cloudfront distribution, the following two options can be used:

  1. Configure CloudFront Origin Access Identity (OAI):

An OAI is an AWS identity that you can associate with your Amazon S3 bucket or your custom origin. When you create an OAI, CloudFront generates a special CloudFront domain name for your distribution, and you can use this domain name to grant permission to CloudFront to access your objects.

When you configure CloudFront to use an OAI, users can only access content through CloudFront, and not directly from the origin. This means that users can't bypass CloudFront and access the content directly.

  1. Configure signed cookies:

Signed cookies allow you to control access to your content at a more granular level. With signed cookies, you can control access to specific URLs, set expiration dates for the access, and even limit the number of downloads that a user can perform.

When you configure signed cookies, CloudFront requires users to provide a signed cookie with each request. CloudFront then verifies the signature on the cookie and grants access to the content if the signature is valid.

By configuring CloudFront with one or both of these options, you can ensure that only authorized users can access your content.

The other two options listed in the question, configuring an SSL on the distribution and configuring Network Access Control Lists (NACLs), do not provide the same level of control over access to your content.

Configuring an SSL on the distribution encrypts traffic between the user and the CloudFront distribution, but it does not control who can access the content.

Configuring NACLs controls access to the underlying resources, but it does not control access to the content itself.