Content Security for CloudFront Distribution | AWS Certified Security - Specialty Exam Answer

Restricting Access to Specific Subscribers for HLS Video Files | AWS Certified Security - Specialty Exam Answer

Question

A team has set up a CloudFront distribution with a web application hosted on an EC2 Instance as the Origin point.

The Web application serves videos (HLS format) to various users.

There is a requirement to ensure that a certain section of files needs to be accessed by only a certain subscriber on the website.

Which of the following would you consider for this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

This is mentioned in the AWS Documentation.

Use signed cookies in the following cases.

· You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of a website.

· You don't want to change your current URLs.

Option A is incorrect since this is used when you want to restrict access to individual files.

Option C is incorrect since CORS is used for access between domains.

Option D is incorrect since Lambda@Edge is an extension of AWS Lambda, a compute service that lets you execute functions that customize the content that CloudFront delivers.

For more information on choosing between signed URLs and cookies, please visit the below URL.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html

The requirement is to restrict access to a specific section of the video files on the web application to only certain subscribers. To achieve this, there are different options available that can be considered.

A. Use Pre-signed URLs: Pre-signed URLs are time-bound URLs that provide temporary access to specific S3 objects. In this case, the videos can be stored on S3, and the web application generates pre-signed URLs that are valid for a certain period of time and grant access to the specific video file. The pre-signed URLs can be configured to expire after a certain time, and only the intended subscriber will have access to the video for the duration of the validity of the URL.

B. Use signed cookies: Signed cookies can be used to restrict access to specific parts of the web application. When the subscriber logs in, the web application can generate a signed cookie that grants access to the specific video section. The cookie can be configured to expire after a certain time, and only the intended subscriber will have access to the video during the validity of the cookie.

C. Implement CORS: CORS (Cross-Origin Resource Sharing) is a mechanism that allows a web page to make XMLHttpRequests to another domain. While CORS can be used to restrict access to certain resources, it is not a suitable solution for this requirement as it does not provide user-specific access controls.

D. Use Lambda@Edge: Lambda@Edge is a service that enables running Lambda functions in response to CloudFront events. It can be used to modify the response headers or the content of the response itself. While it can be used to restrict access to specific resources, it is not a suitable solution for this requirement as it does not provide user-specific access controls.

Based on the requirement, option A and B are the most suitable solutions. Both Pre-signed URLs and signed cookies provide time-bound access to the specific video section, ensuring that only the intended subscriber has access to the video. The choice between the two options depends on the specific requirements and constraints of the application.