An engineering company needs to share project documents stored in the Amazon EC2 instance with global vendors.
These Amazon EC2 instances are front-ended by Amazon CloudFront.
The Security Team wants to restrict access to individual project documents so that only specific vendors can have access to individual documents. Which setting can be done with Amazon CloudFront to restrict this access?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
Amazon CloudFront Signed URLs and Signed Cookies can be used to control access to data stored in Amazon EC2 instances.
Signed URLs can be used in case of access needs to be restricted to individual files.
Option A is incorrect as this helps protect sensitive data; it won't help to restrict access.
Option B is incorrect as OAI can be used to control access to data stored in the Amazon S3 bucket.
Option D is incorrect as Signed Cookies are useful if access is provided for multiple files.
For more information on the difference between Signed cookies and signed URLs, refer to the following URL,
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.htmlThe appropriate setting that can be used with Amazon CloudFront to restrict access to individual project documents for specific vendors is "C. Use Signed URLs."
Signed URLs are a security feature provided by Amazon CloudFront that allow time-limited access to specific content. When a user requests access to a specific document, a signed URL is generated that includes a signature, expiration date and time, and the URL for the content. The signature is generated using a private key, and it verifies that the URL has not been tampered with since it was signed. Once the URL expires, it cannot be used to access the content.
To use Signed URLs to restrict access to individual project documents for specific vendors, the following steps can be followed:
This way, only the vendors who have been authorized can access the specific documents for the specified time period.
Option A, "Use Field Level encryption," is not appropriate for this scenario, as field-level encryption is used to protect specific data fields within a larger data structure, rather than to restrict access to specific documents.
Option B, "Use OAI," or Origin Access Identity, is used to restrict access to the origin of the content, rather than to specific documents.
Option D, "Use Signed Cookies," is used to allow access to multiple restricted files or paths without the need for the user to sign multiple URLs, and is not necessary for the requirement of restricting access to individual project documents for specific vendors.